Before you start creating a monitoring plan to audit your Azure AD, plan for the account that will be used for data collection – it should meet the requirements listed below. Then you will provide this account in the monitoring plan wizard.
In the Cloud:
The account needs to be created as a Cloud-Only account.
Initial data collection
- When first configuring a monitoring plan for auditing an Azure AD domain, the account must be assigned the Global Administrator role in Azure AD (Company Administrator in Azure AD PowerShell terms). See Assigning Global Administrator Role for Azure AD and Office 365 Auditingfor more information.
After the initial data collection
- The Global Administrator role can be removed from the collection account. (Ongoing audit data collection leverages granted Office 365 Management APIs access permission, and therefore requires no tenant-level or site-level permissions.)
If the Global Administrator role was removed from the account, and you plan to audit Successful and/or Failed Logons, assign one of the following roles to the account:
- Security Reader
- Security Administrator
- Also, to audit Successful and/or Failed Logons, the account must be assigned Azure Active Directory Premium Plan 1 or Azure Active Directory Premium Plan 2 license.
NOTE: Accounts with multi-factor authentication are not supported.