When first creating a monitoring plan for Azure AD or Office 365 auditing, you need to specify the account assigned the Global Administrator role. This role is required to create a dedicated application in your Azure AD domain.
NOTE: Accounts with multi-factor authentication are not supported in both scenarios.
Depending on your company's security policies, select one of the following options:
Assign the Global Administrator role to an account for initial data collection and then remove the role. In this case, you need to assign additional roles to this account (Security Reader / Security Administrator) to audit Successful and / or Failed Logons. Netwrix recommends selecting this option to comply with your organization's security policies.
Review the following for additional information:
- Use the account assigned to be the Global Administrator on a regular basis. Any additional role assignments not required. When choosing this option, contact your security administrator to avoid violation of security policy in your organization.
Sign in to Azure AD portal using your Microsoft account.
- Select Azure Active Directory on the left.
- Select an account that you want to use as Data Collecting Account for Azure AD or create a new user.
- Make sure you disabled multi-factor authentication for this account.
Expand the Directory role and select Global administrator.
NOTE: In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as Company Administrator.
- Click Ok.
- In Netwrix Auditor, create a monitoring plan for auditing Azure AD and specify this account on the Specify the account for collecting data step.
Refer to Create a New Plan for detailed instructions on how to create monitoring plans. See Netwrix Auditor Administration Guide for detailed instructions on how to create a monitoring plan.
- Wait until initial data collection completes.
- Open Azure AD portal and remove the Global administrator role from the account.