Last Updated on March 26, 2022 by Ashok Kumar
As increasingly more organizations make the transition from their on-premise Active Directory environment to Azure AD and Microsoft 365, it has never been so important for them to have visibility into how their accounts and data are being accessed and used.
While it is true that most reputable cloud service providers have gone to great lengths to ensure that they are able to adhere to strict security standards and comply with the relevant data privacy laws, there are still many actions that users can perform which will put an organization’s systems and data at risk.
Poor password hygiene, privilege escalation, and sloppy data sharing practices, are among the threats which cannot be mitigated by the cloud service provider. On top of this, the native auditing tools provided by most cloud vendors have many limitations, which hinder visibility into the types of activities performed by users.
For example, the audit log search capabilities are rarely specific enough for our needs, and logs are retained for a short period of time (up to 30 days for Azure AD Premium).
Since organizations hosting data and applications in the cloud no longer have control over their firewalls and other intrusion prevention technologies, they rely heavily on monitoring changes within their Azure AD environment. This includes monitoring changes to roles, groups, applications, sharing, and mailboxes, to name a few.
Top 10 Security Events to Monitor in Microsoft 365
Below are the ten most important security events to monitor in order to keep your privileged accounts and sensitive data out of the wrong hands.
1. Changes to Important Roles
Users frequently end up with more roles than what they actually need, while adversaries who have successfully compromised a user account will do what they can to elevate their privileges by acquiring more roles.
As such, administrators will need to know when changes are made to important roles. To find this information, they can visit the Azure portal, and perform a search on the Core Directory service and RoleManagement categories, which will return a list of all changes to roles within their environment.
Alternatively, they can search the Unified Audit Log via the Office 365 Security & Compliance Center, which will also include the logs of all Microsoft 365 applications.
2. Changes to Groups
Groups serve as the primary means by which access is granted to resources in Active Directory. Azure AD allows for more types of groups. For example, when using apps like Teams and Outlook, users are allowed to create their own groups and assign other users to those groups. In some cases, users will create groups to enable better collaboration with clients, vendors, and business associates, thus increasing the likelihood of accidental disclosure of sensitive data. To find group changes in Azure AD, go to the Azure portal, and under the Audit logs section, select either the Directory service or GroupManagement categories.
3. Changes to Applications
Azure AD maintains multiple bridges between applications and services, including that hosted on-premise. While this can help with communication and collaboration, it also introduces points of failure.
Any misconfigured applications could turn out to be quite disruptive, especially if employees are not able to access the apps they need to perform their duties, or if customers are not able to access the company’s website, make payments, and so on. As such, being able to detect and respond to changes to applications is crucially important to prevent potential downtime and lost revenue.
In the Azure portal you can view the audit logs for each application you have installed. Most audit events come from either the ApplicationManagement or UserManagement categories, although you may need to drill through numerous events in order to find the ones that are relevant to you.
4. Resource Creation
When a user creates a Teams site, a number of additional resources are also created, such as Outlook calendars and group inboxes, a OneNote notebook, a SharePoint site, and more. As you would expect, having resources being created automatically “under the hood” can present a security threat if administrators are not aware of them, or fail to keep a close eye on them. You can find the audit logs relating to the creation of resources in the Azure portal, by searching the UserManagement and GroupManagement categories under the Azure Active Directory section. Alternatively, you can search the Unified Audit Log in the Office 365 Security & Compliance Center, which will list all resources that are created and modified.
5. Sharing of Important Files and Anonymous Links
The open sharing capabilities of both SharePoint Online and OneDrive for Business introduce a number of security risks, as it makes it a lot easier to accidentally share sensitive data with the wrong recipients. To make matters worse, users are sometimes allowed to share a link to a document containing sensitive data, which external users can access anonymously.
In addition to monitoring the audit logs for anomalous sharing practices, it is generally a good idea to restrict the sharing capabilities of both platforms. To find events relating to file sharing and access request activities in SharePoint and OneDrive you will need to search the Unified Audit Logs in the Office 365 Security & Compliance Center.
6. Guest Access in Teams
As above, the ability for users to grant “Guest access” in Teams is another area that needs close attention. In the wake of the pandemic, many organizations were scrambling to switch to a remote working model, and thus many chose to use Teams for remote collaboration and communication.
With that shift came a plethora of security challenges. Few organizations had spent the time to carefully review the sharing settings, and thus prevent users from inviting guests – some of whom may be granted full access to Team’s files, chats, meetings, and so on.
To find a list of all Guest users (or user creation events), search the Unified Audit Log in the Office 365 Security & Compliance Center. You can also limit the search by date range. Alternatively, in the Azure portal you can perform a search using the following filters:
- Service — Core Directory
- Category — UserManagement
- Activity — Add user
7. Teams Being Created or Deleted
In addition to monitoring Guest access in Teams, you will also want to keep a close eye on which Teams are being created and deleted. By default, users are granted the ability to create and delete Teams, as and when they choose.
While it is possible to disable this functionality, doing so will hinder collaboration. Not only that, but administrators may also want to create and delete Teams themselves, and those actions will also need to be monitored. Unfortunately, there’s no distinction between Microsoft 365 groups created by Teams, and other groups in Azure AD.
However, in the Azure portal you can narrow down the results by setting the Service to Core Directory and the Category to GroupManagement. As always, you can also search the Unified Audit Log in the Office 365 Security & Compliance Center, although this will take longer and you will still need to filter the Microsoft 365 groups to find out which teams were created/deleted.
8. Forwarding of Inbound Email Messages
Forwarding inbound email messages is a perfectly sound practice. That said, it is generally a good idea for administrators to keep track of changes to email forwarding as malicious actors will sometimes setup auto-forwarding on email accounts that they have compromised.
The problem, however, is that neither Azure AD nor Microsoft 365 allow administrators to monitor these changes in the audit logs. Instead, they must export the full Exchange Online audit logs as a CSV file, and search for {“name”:”DeliverToMailboxAndForward”,”value”:”True”}.
9. Non-Owner Mailbox Activity
It is not uncommon for a member of the technical support team to access mailbox accounts that are not theirs, and in some cases, employees use shared mailbox accounts. Likewise, administrators could easily grant themselves access to an executive’s account and snoop around.
Whatever the scenario, it’s generally not a good idea to allow users to access mailbox accounts that don’t belong to them, and if you do, be sure to monitor them for suspicious activity. Mailbox events can only be found in the Unified Audit Log, which allows you to view the following events;
- Sent message using Send On Behalf permission
- Added or removed user with delegate access to calendar/folder
- Sent message using Send As permission
- Added delegate mailbox permission
- Removed delegate mailbox permission
10. Failed Sign-in Attempts
It is crucially important that you monitor all failed sign-in attempts, as attackers will frequently try to brute-force account passwords. To see a list of failed sign-in attempts, go to the Sign-ins screen under Monitoring, and select Failure from the Status drop-down menu. Then, you will need to scrutinize each of the listed sign-in events for malicious activity.
How Can Lepide Help You Monitor Changes in Azure AD/Microsoft 365
As mentioned previously, one of the major drawbacks of the Azure AD/Microsoft 365 native auditing is the limited search capabilities.
The Lepide Data Security Platform, on the other hand, has a powerful search facility that will aggregate event data from multiple platforms, whether on-premise or cloud-based, and display a summary of important events via a single and intuitive dashboard.
Not only that but the event logs will be retained for as long as you need them.
Anytime changes are made to your roles, groups, applications, mailboxes, and file shares, the administrator can receive a real-time alert, thus preventing them from missing out on any critical changes. The Lepide Data Security Platform also uses machine learning models to automatically identify and respond to anomalous user activity, including multiple failed sign-in attempts, non-owner mailbox access, and lots more.
If you’d like to see how the Lepide Data Security Platform can help keep Azure AD and Microsoft 365 secure, schedule a demo with one of our engineers.