When configuring a monitored item for Azure AD or Office 365 auditing with basic authentication, you should specify the data collecting account that has sufficient privileges in Azure AD. In particular, it should be able to create a dedicated application in your Azure AD domain. Depending on your requirements and company policies, you can select one of the following approaches:
- Assign a privileged role (for example, Application Administrator & Privileged Role Administrator) to the account, then revoke it after the application creation and initial data collection, and assign a less-privileged role to this account (for example, Security Reader).
See the procedure below for details.
- Another approach is to use the account with a privileged role on a regular basis. Any additional role assignments will not be necessary in this case. If this is your choice, contact your security administrator to avoid violations of security policies in your organization.
IMPORTANT! If you used to utilize a non-privileged account for Azure AD data collection in your Netwrix Auditor deployment version 9.8 (or earlier), consider that after the upgrade you will have to perform the role assignment procedure anew, selecting one of these approaches. Until then, data collection will not be performed.
Sign in to Azure AD portal using your Microsoft account.
- Select Azure Active Directory on the left.
- Select the account that you want to use as data collecting account, or create a new user.
- Make sure you have disabled multi-factor authentication for this account.
Expand Directory role and select the role you need (for example, Global admin or any other privileged role listed in For Office 365 and Azure AD Auditing section).
NOTE: In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, the Global admin role is identified as Company Administrator.
- Click OK.
- In Netwrix Auditor, create a monitoring plan for auditing Azure AD and specify this account with this privileged role on the Specify the account for collecting data step.
Refer to Create a New Plan for detailed instructions on how to create monitoring plans. See Netwrix Auditor Administration Guide for detailed instructions on how to create a monitoring plan.
- Wait until initial data collection completes.
- Open Azure AD portal and remove the privileged role from the account.
- Assign a less-privileged role to this account.
See also Assigning 'Security Administrator' or 'Security Reader' Role.