Incident Response Series: Reviewing data in Azure AD for investigation

In my previous blog post, I’ve blogged about collecting logs in Azure AD and how we could use the exported logs to analyze it. Today, I want to focus on reviewing relevant data to perform further investigation, in a compromised environment.

An successful investigation requires understanding of adversaries their behaviors. It is a balance between understanding how they operate, so actions can be taken to stop any further activity on objectives by the adversaries. Besides of investigation, there is also a remediation part. In order to perform a successful remediation, we need to have a deep understanding of the initial method of access, and the different ways to persist. Once a persistence mechanism has been missed during an IR engagement, it could lead into continued access by the adversaries.

This makes it very challenging for incident responders, but it is the reality. I’m not claiming that everything in this blog post is perfect, because I might have overlook things as well. However, I do believe it’s a good foundation to start with, which can always later be extended with additional information from your side.

During this blog post, we will be focusing on exporting data to review it, and use the ‘Watchlist’ feature in Azure Sentinel to analyze it. At the end of this blog post, there is a reference section. Where I will publish all the scripts that I’ve used to export all the data.

Does this mean that we have to use the ‘Watchlist’ feature? Not necessary, because it has limitations as well. Another option would be using the externaldata operator.

Reviewing Administrative rights

  • Review privileged access in the Cloud

One of the first thing I like to do is, to get an overview of all the members in every directory role. It is recommended to remove any unnecessary permissions when they are not needed anymore. During this task, I like to look if an organizations is using a second ‘admin’ account for their admins and developers. I will also look at the amount of members they have in each role, that I consider ‘privileged’. You can think of Global Admins, Password Admins, Privileged Authentication Admins, and so on.

In this case, I’ve exported all the directory roles and the associated members that are part of each individual role.

Now I’m going to import this CSV file into Azure Sentinel and query the dataset. Here is an example query, where I’ll use the summarize operator to count all the members in each role.

Let’s say that I wanted to know, who’s a member of the Global Administrator role. The only thing I have to do is run a query and specify the role name.

To finish it, I like to count the amount of members in each role, that I consider ‘high-privileged’. I will then visualize the data to highlight the statistics.

I have specified a list of roles that I consider privileged, but right now. I’m using the render operator to visualize the statistics. This helps us to present the results to an organization and perhaps highlight, that they have too many overprivileged users in certain roles.

There are different ways to visualize statistics, but as an example. I’ve chose to use barchart. At the results below, we can see the total count of members in every role.

  • Reviewing all Enterprise Applications and Consent permissions

Enterprise Applications with extensive permissions, such as writing to the directory or reading and accessing mailboxes of users are considered something worth to look at. When was the last time that you have audited your applications and the associated permissions that belongs to it? In most cases, it is very rarely that someone is doing this.

This is how it looks like, when we are exporting all the applications from a tenant. It shows all the permissions that belongs to it, and much more.

According to Microsoft DART, there are a few examples of permissions that we should keep an eye on, which are the following:

  • Modification of privileged users and roles.
  • Reading or accessing all mailboxes.
  • Sending or forwarding email on behalf of other users.
  • Accessing all OneDrive or SharePoint sites content.
  • Adding service principals that can read/write to the Directory

We are now importing our CSV file into Azure Sentinel to review it further. What we now can do is run a few basic KQL queries to filter things out the results, that we are looking for.

There is a column name that shows the impact of a permission, so as an example. I’m going to filter on permissions that have been classified as ‘High’

It will now return all the applications and the permission(s) that have been assigned to an application. At the results, it will only show the permissions that have been classified as ‘High’

We can do this for ‘Low’ permissions as well, but that’s been said. Review all the enterprise applications, especially the one’s with permissions that are classified as ‘High’. Check if those applications are still being used, and when that is not the case. Remove it. I also recommend to check with the IT team if one of those applications looks familiar to them.

To finish it, we are going to visualize some statistics. What is the percentage of all the applications that have permissions assigned to it with a ‘High’ risk rating?

Review user accounts

  • Review Guest accounts

An important hygiene is to take a look at guest accounts and see if they still require access to a tenant or not. Remove every guest account that doesn’t require access anymore.

  • Review MFA status of accounts

MFA is one of the most important security measure that should be enabled on accounts, but unfortunately. It is not always the case. Review if user accounts have MFA enabled or not.

In this example, I’m going to look for accounts that don’t have MFA enabled. You will be surprised, but there is always a chance, that you will discover at least one ‘admin’ account with no MFA enabled.

We are now going to import this CSV file into Azure Sentinel to be able to query the dataset easily.

A good thing to look at, are all the accounts that don’t have MFA enabled, but can still login. We have to exclude the On-Premises Sync account, because this account can’t have MFA enabled.

What we now should do is look at all the accounts that are member of at least one directory role, but don’t have MFA enabled. In our query, I’ve also specified that sign-in is allowed. Here we can see two accounts being a member of the ‘Authentication Administrator’ role, while there’s one account a member of the ‘Exchange Administrator’ role.

Check when these accounts have recently logged in and see if there was reason for not having MFA enabled. You’ll often see accounts that for example haven’t logged in (yet), so they didn’t register for MFA. The results should be verified as well and should not blindly be interpreted.

Review access & configuration settings in Office 365 services

  • SharePoint Online Sharing

Review all the existing SharePoint sites that have external sharing enabled. Check if these sites should allow external sharing.

  • External users in SharePoint sites

Review all external users that have access to SharePoint sites and check if access is still required.

  • Review access in Teams channels

Review access in all the different channels and remove any unnecessary permissions.

Review access in Exchange Online

  • Review accounts with access to mailboxes

Review all the accounts that have full access to user’s mailboxes.

Import the CSV in Azure Sentinel and start running queries. In my query, I have specified to exclude all the accounts that start with ‘S-1-5-21’

In the returned results, it will now show all the accounts that have access to user’s their mailboxes.

In the following example, I have specified a query with a threshold of 10. It will now look for accounts that have access to more than 10 mail boxes.

  • Review accounts with ‘SendAs’ permissions

Review accounts with ‘SendAs’ permissions and check if you can revoke permissions from accounts that don’t need it anymore.

Import the CSV in Azure Sentinel and start running queries.

  • Review accounts with ‘SendOnBehalf’ permissions

Review all the accounts with ‘SendOnBehalf’ permission and revoke them they are not needed anymore.

Import the CSV in Azure Sentinel and start running queries

  • Review Email Forwarding Rules

Review all e-mail forwarding rules that are targeted to external domains and verify if this is legit or not.

Review Conditional Access Policies

  • Review all the settings in every Conditional Access policy

Changes in Conditional Access policies can open security risks, so review them properly. Check all the current settings in each CA policy that is enabled and look at configurations that might look suspicious. You can think of accounts, groups, and roles that have been excluded from MFA for example.

Review all the Conditional Access policies and check if there are any configurations that shouldn’t be in place.

In this example, I’m going to look for Conditional Access policies that contains exclusions. It’s hard to determine whether an exclusion was set on on malicious purposes or not. However, there are few examples. Like the On-Premises Sync agent, which cannot have MFA enabled.


We discussed a few examples of some datasets that can be relevant to export. It’s of course not everything, but I do believe it’s a good foundation to start with. Reviewing and analyzing audit logs is an important task. However, we shouldn’t forget about reviewing current access & configuration settings in a tenant.

As discussed before, there are plenty of other information that might be worth to export and review. If you have something interesting that I didn’t include. Please comment down below, so I can take a look at it.

What’s next?

My next blog post is going to include On-Premises AD as well. When doing incident response, you can’t forget about Active Directory, because it’s still one of the most used identity infrastructure out there.

I will also cover how we can use Azure Data Explorer, instead of Watchlist in Azure Sentinel. ADX has more powerful capabilities, but I’ll cover that later in my next blog post.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s