Quick post today around Active Directory sign-on auditing when using AAD Connect Pass-Through Authentication.
Azure AD Connect Pass-Through Authentication (PTA) provides the ability to pass authentication off directly to domain controllers. When passwords are reset or changed they’re reflected in Azure AD immediately via Azure AD Connect sync. Additionally, self-service password reset (SSPR) may be enabled in Azure Active Directory and those resets are written back to the domain controller as well.
To learn more about the available sign-on options please visit: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-user-signin
Many organizations already have extensive auditing set up to track sign-on activities and need to continue to track sign-on activity in across all services and need to maintain tracking no matter what services or applications are in use. To continue the auditing practice with Azure AD Connect PTA let’s walk through how this is achieved.
- Active Directory Auditing is enabled via Group Policy. Look under Audit Policies –> Logon/Logoff and Account Logon and enable auditing there.
- Azure AD Connect with Pass-Through Authentication and Password Write Back enabled.
- Optional: an additional Pass-Through Authentication connector deployed for high availability.
Example of my Active Directory audit policies:
Lets take a look at what to look for when using Azure AD Connect PTA.
As a user sign’s on to O365, or a federated SaaS app, or an internal application published to Azure AD, there are three events that are logged, two events to the domain controller: 4768, 4769 and one event to the server where ADD Connect is installed and PTA is enabled: 4624 (if additional PTA connectors are deployed for high availability look on those servers for 4624 as well).
On the domain controller look for events 4768 and 4769:
On the server where AD Connect is installed (and or additional PTA connector servers) look for event 4624:
Additionally, we can roll up these events to a SIEM for further aggregation of sign-on events and auditing. In my case I chose to use Log Analytics within the Microsoft Operations Management Suite:
To learn more about Azure AD Connect Pass-Through Authentication please visit the following links:
AAD Connect PTA: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication
AAD Connect PTA w/Desktop SSO: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso
AAD Connect PTA TS Guide: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-troubleshoot-sso