Create SEM Connector for Azure AD Password Protection Logs

nstanley

Microsoft has released Azure AD Password Protection as a way to enforce enhanced Password Policy. Currently we are utilizing this to check password against known compromised passwords (provided by Microsoft) and a custom banned password list. Microsoft has provided an agent that is run on every DC for this to work and collects logs regarding successful for failed attempts. I would like SEM to have these logs available to make it easier for the Security Team to find the logs instead of digging into each DC. Also, this would be helpful, because we could alert on passwords being changed to Known Compromised passwords.

I opened a case with Support: Case # - 00321136

Azure AD Password Protection stores the logs here: \Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin
These events are the most helpful:

	Password change	Password set
Pass	10014	10015
Fail (due to customer password policy)	10016, 30002	10017, 30003
Fail (due to Microsoft password policy)	10016, 30004	10017, 30005
Fail (due to combined Microsoft and customer password policies)	10016, 30026	10017, 30027
Audit-only Pass (would have failed customer password policy)	10024, 30008	10025, 30007
Audit-only Pass (would have failed Microsoft password policy)	10024, 30010	10025, 30009
Audit-only Pass (would have failed combined Microsoft and customer password policies)	10024, 30028	10025, 30029

Log Location is: C:\Windows\System32\winevt\Logs\Microsoft-AzureADPasswordProtection-DCAgent%4Admin.evtx

Example of XML Export:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

<Provider Name="Microsoft-AzureADPasswordProtection-DCAgent" Guid="{FCE041B2-EACD-48A2-8E09-4D5D43C0FF69}" />

<EventID>10015</EventID>

<Version>0</Version>

<Level>4</Level>

<Task>0</Task>

<Opcode>0</Opcode>

<Keywords>0x8000000000000000</Keywords>

<TimeCreated SystemTime="2019-05-29T13:36:24.434526600Z" />

<EventRecordID>2339</EventRecordID>

<Correlation ActivityID="{5EBC11EF-B8AF-47D2-A732-637B174A9AFA}" />

<Execution ProcessID="576" ThreadID="4720" />

<Channel>Microsoft-AzureADPasswordProtection-DCAgent/Admin</Channel>

<Computer>DC</Computer>

<Security UserID="S-1-5-18" />

</System>

- <EventData>

<Data Name="Data1">samaccountname</Data>

<Data Name="Data2">display name</Data>

</EventData>

</Event>

jhynds

These logs are now covered by the Microsoft Azure aD Password Protection connector.