With basic authentication, your Azure AD organization will be accessed on behalf of a user. You will need to provide user name and password in the monitored item properties. Netwrix Auditor will use this account to access the Azure AD organization, automatically create an Azure AD app with required permissions, and perform initial data collection. For that, the user account will need an administrative role in the cloud-based infrastructure.
Further permission assignment will depend on the data you plan to collect:
- To collect activity data including logon attempts, the administrative role will be still needed. Also, the Azure AD user account should have a Premium Plan license. See the next section for details.
- To collect activity data without logons, the privileged role can be revoked from the specified account after the initial data collection. Ongoing audit data collection will leverage Microsoft APIs access permissions granted to Azure AD app and, therefore, requires no tenant-level administrative permissions.
Required roles and permissions
Create Azure AD application and run initial data collection
Any of the following role combinations:
Prepare a user account and specify it in the monitored item properties. See Assigning a Privileged Role for Azure AD and Office 365 and Office 365 Tenant.
Collect audit data, including Successful Logons and/or Failed Logons
To assign the non-privileged role, see Assigning 'Security Administrator' or 'Security Reader' Role
|Collect audit data (without logons)||
Any of the following roles:
|Assign the role you need, as explained above.|
This example shows how to instruct Netwrix Auditor to collect audit data from the Azure AD tenant copr.onmicrosoft.com with basic authentication. It assumes that:
- You have prepared an Azure AD account firstname.lastname@example.org with Global Admin privileged role
- Audit data on the logon attempts does not need to be collected
Do the following:
- Create a monitoring plan for Azure AD domain.
Proceed with adding a monitored item — Office 365 tenant. On the General tab, select Basic authentication as a method that will be used when accessing Office 365 services.
Enter User name and Password for the privileged account; use any of the following formats: email@example.com or firstname.lastname@example.org. For this example: email@example.com
NOTE: Make sure this user account has sufficient access rights.
- The Tenant name field then will be filled in automatically.
- Click Add.
- Wait for the initial data collection to complete.
- After that, you can use the Azure AD management portal to revoke this privileged role and assign one of the non-privileged roles instead (for example, Security Reader).
See also Office 365 Tenant.
NOTE: Remember that to audit Successful and/or Failed Logons, the data collecting account must have Azure Active Directory Premium Plan 1 or Azure Active Directory Premium Plan 2 license.