Why should we store log to an Log Analytics workspace? The answer can be more than one. I will guide you how to setup and share some benefit of the value.
The picture above show the standard workbooks you can see. You can deep into each of the workbooks to investigate more information. Let´s open Sign-ins using Legacy Authentication. At the top you can choose TimeRange from 5 min up to 2 years and which apps that use this old protocol. Then filter down by users to summary all the users we need to fix.
Back to the setup of this function. The requirement for this solution is:
- Azure subscription
- Resource Group
- Log Analytics workspace
When we has create the analytics database we just connect Azure AD sign-ins logs and audit logs to that workspace. In Azure AD -> Diagnostic settings -> Add diagnostic setting. Name: SendToLogAnalytics, tap the “Send to Log Analytics”. Choose the Azure subscription and select both logs.
If you need more information you can create your own questions in the Log analytics database. I will come back to this in another blog later.
Storage
In a tenant with 10.000+ users we can expect around 250-350MB per work day. Normal use in 1 month will be around 6-8GB. The first 5 GB of data ingested per organization to the Azure Monitor Log Analytics service every month is offered free. Rest of the data will be paid per GB.
Part 1: https://cloudtech.nu/2020/01/23/part-1-conditional-access-report-only/
Microsoft 365 Tech blog 