Go Up
You are here: DeploymentConfigure Netwrix Auditor Service AccountsData Collecting AccountFor Azure AD Auditing

For Azure AD Auditing

Before you start creating a monitoring plan to audit your Azure AD, plan for the account that will be used for data collection – it should meet the requirements listed below. Then you will provide this account in the monitoring plan wizard.

To collect audit data in your Azure AD environment, Netwrix creates a dedicated cloud application. The account under which it is created (i.e. data collecting account) requires enhanced roles assignment. Later, you can remove roles from the account and perform ongoing data collection with less-privileged roles.

To... Requirement

Create cloud application and run initial data collection

Any of the following roles:

  • Application Administrator & Privileged Role Administrator

    OR

  • Cloud Application Administrator & Privileged Role Administrator

    OR

  • Global Admin

See Assigning Azure AD Administrative Roles for more information.

Collect audit data (without logons)

Any of the following roles:

  • Security Reader

    OR

  • Application Administrator

    OR

  • Cloud Application Administrator

    OR

  • Global Admin
Collect audit data, including Successful Logons and/or Failed Logons
  1. The account requires Azure Active Directory Premium Plan 1 or Azure Active Directory Premium Plan 2 license plan for Azure.
  2. Any of the following roles is required:
  • Security Reader

    OR

  • Security Administrator

    OR

  • Application Administrator

    OR

  • Cloud Application Administrator

    OR

  • Global Administrator

Initial data collection

After the initial data collection

  • The privileged role can be revoked from the data collecting account. Ongoing audit data collection leverages granted Office 365 Management APIs access permission, and therefore requires no tenant-level or site-level permissions. You can assign one of the non-privileged roles to the account (for example, Security Reader). See Assigning 'Security Administrator' or 'Security Reader' Rolefor more information.
  • Also, to audit Successful and/or Failed Logons, the data collecting account must have Azure Active Directory Premium Plan 1 or Azure Active Directory Premium Plan 2 license.

NOTE: Accounts with multi-factor authentication are not supported.

Go Up