Identity Governance & ProtectionMonitoring, Logs & Identity Secure Score

Monitoring, Logs & Identity Secure Score

30 mins

Understanding the Concept

Microsoft Entra ID provides three primary log types: sign-in logs (authentication events), audit logs (directory changes), and provisioning logs (app provisioning activity). These logs are essential for troubleshooting, compliance reporting, and security investigation.

Diagnostic settings allow you to route logs to Azure Monitor Log Analytics workspaces, Azure Storage accounts, or Event Hubs for long-term retention and advanced analysis. Log Analytics enables powerful KQL (Kusto Query Language) queries for investigating identity events.

Identity Secure Score provides a quantified measure of your identity security posture with actionable recommendations. Workbooks offer pre-built and customizable dashboards for monitoring sign-in patterns, CA policy impact, and user behavior analytics.

Key Points

  • Sign-in logs: Every authentication event with details and CA evaluation results
  • Audit logs: Directory changes - user/group/app modifications
  • Provisioning logs: App provisioning events and errors
  • Log Analytics + KQL: Advanced querying for investigation and reporting
  • Identity Secure Score: Posture assessment with improvement actions

Identity Monitoring Architecture

Step 1

Log Generation

Sign-in, audit, and provisioning events generated

Step 2

Diagnostic Settings

Route logs to Log Analytics, Storage, or Event Hub

Step 3

KQL Queries

Analyze logs with Kusto queries in Log Analytics

Step 4

Workbooks

Pre-built dashboards for visual monitoring

Step 5

Secure Score

Track and improve identity security posture

Why This Matters in Real Organizations

Without proper monitoring, security incidents go undetected and compliance requirements are unmet. Many regulations (SOX, HIPAA, GDPR) require audit log retention. Identity Secure Score provides a baseline and roadmap for continuous security improvement.

Common Mistakes to Avoid

Not configuring diagnostic settings - default log retention is only 7-30 days
Ignoring Identity Secure Score recommendations
Not using workbooks for proactive monitoring of CA policy impact
Writing overly broad KQL queries that return too much data

Interview Tips

  • Explain the three log types and their use cases
  • Discuss KQL query examples for common investigations
  • Mention Identity Secure Score and how to improve it

Exam Tips (SC-300)

  • Know the three log types and their retention defaults
  • Understand diagnostic settings destinations
  • Know basic KQL syntax for identity log queries

Course Complete!

You've finished all lessons

Previous|Next|HHome