Accessing Azure AD using basic authentication

With basic authentication, your Azure AD organization will be accessed on behalf of a user. You will need to provide user name and password in the monitored item properties. Netwrix Auditor will use this account to access the Azure AD organization, automatically create an Azure AD app with required permissions, and perform initial data collection. For that, the user account will need an administrative role in the cloud-based infrastructure.

Further permission assignment will depend on the data you plan to collect:

  • To collect activity data including logon attempts, the administrative role will be still needed. Also, the Azure AD user account should have a Premium Plan license. See the next section for details.
  • To collect activity data without logons, the privileged role can be revoked from the specified account after the initial data collection. Ongoing audit data collection will leverage Microsoft APIs access permissions granted to Azure AD app and, therefore, requires no tenant-level administrative permissions.

Required roles and permissions

To... Requirement Comment

Create Azure AD application and run initial data collection

Any of the following role combinations:

  • Application Administrator & Privileged Role Administrator

    OR

  • Cloud Application Administrator & Privileged Role Administrator

    OR

  • Global Admin

Prepare a user account and specify it in the monitored item properties. See Assigning a Privileged Role for Azure AD and Office 365 and Office 365 Tenant.

Collect audit data, including Successful Logons and/or Failed Logons

  1. Cloud tenant requires Azure Active Directory Premium Plan 1 or Azure Active Directory Premium Plan 2 license plan for Azure.
  2. Any of the following roles:
  • Security Reader

    OR

  • Security Administrator

    OR

  • Application Administrator

    OR

  • Cloud Application Administrator

    OR

  • Global Administrator

To assign the non-privileged role, see Assigning 'Security Administrator' or 'Security Reader' Role

Collect audit data (without logons)

Any of the following roles:

  • Security Reader

    OR

  • Application Administrator

    OR

  • Cloud Application Administrator

    OR

  • Global Admin
Assign the role you need, as explained above.

Example

This example shows how to instruct Netwrix Auditor to collect audit data from the Azure AD tenant copr.onmicrosoft.com with basic authentication. It assumes that:

  • You have prepared an Azure AD account itadmin@corp.onmicrosoft.com with Global Admin privileged role
  • Audit data on the logon attempts does not need to be collected

Do the following:

  1. Create a monitoring plan for Azure AD domain.
  2. Proceed with adding a monitored item — Office 365 tenant. On the General tab, select Basic authentication as a method that will be used when accessing Office 365 services.

  3. Enter User name and Password for the privileged account; use any of the following formats: user@domain.com or user@domain.onmicrosoft.com. For this example: itadmin@corp.onmicrosoft.com

    NOTE: Make sure this user account has sufficient access rights.

  4. The Tenant name field then will be filled in automatically.
  5. Click Add.
  6. Wait for the initial data collection to complete.
  7. After that, you can use the Azure AD management portal to revoke this privileged role and assign one of the non-privileged roles instead (for example, Security Reader).

See also Office 365 Tenant.

NOTE: Remember that to audit Successful and/or Failed Logons, the data collecting account must have Azure Active Directory Premium Plan 1 or Azure Active Directory Premium Plan 2 license.