When creating a monitoring plan for Azure AD or Office 365 auditing, you should specify the data collecting account that has sufficient privileges in Azure AD. In particular, it should be able to create a dedicated application in your Azure AD domain. Depending on your company's security policies, you can select one of the following approaches:
- Assign a privileged role (for example, Application Administrator & Privileged Role Administrator) to the account.
Remove it after the application creation and initial data collection, and assign a less-privileged role to this account (for example, Security Reader or Security Administrator).
See the procedure below for details.
- Another approach is to use the account with a privileged role on a regular basis. Any additional role assignments will not be necessary in this case.
If this is your choice, contact your security administrator to avoid violations of security policies in your organization.
Required roles are listed For Azure AD Auditing
Also, consider that to collect data on Successful Logons and/or Failed Logons, the account requires a sufficient license plan: Azure Active Directory Premium Plan 1 or Azure Active Directory Premium Plan 2.
NOTE: Accounts with multi-factor authentication are not supported in both scenarios.
IMPORTANT! If you used to utilize a non-privileged account for Azure AD data collection in your Netwrix Auditor deployment version 9.8 (or earlier), consider that after the upgrade to version 9.9 you will have to perform the role assignment procedure anew, selecting one of these approaches. Until then, data collection will not be performed.
Sign in to Azure AD portal using your Microsoft account.
- Select Azure Active Directory on the left.
- Select the account that you want to use as Data Collecting Account for Azure AD, or create a new user.
- Make sure you have disabled multi-factor authentication for this account.
Expand the Directory role and select the role you need (for example, Global administrator, or any other privileged role listed For Azure AD Auditing).
NOTE: In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, the Global administrator role is identified as Company Administrator.
- Click Ok.
- In Netwrix Auditor, create a monitoring plan for auditing Azure AD and specify this account with this privileged role on the Specify the account for collecting data step.
Refer to Create a New Plan for detailed instructions on how to create monitoring plans. See Netwrix Auditor Administration Guide for detailed instructions on how to create a monitoring plan.
- Wait until initial data collection completes.
- Open Azure AD portal and remove the privileged role from the account.
- Assign a less-privileged role to this account.
Review the following for additional information: Assigning 'Security Administrator' or 'Security Reader' Role