Create SEM Connector for Azure AD Password Protection Logs

score 4
Voted on 4 times. You have not voted. Implemented

Microsoft has released Azure AD Password Protection as a way to enforce enhanced Password Policy. Currently we are utilizing this to check password against known compromised passwords (provided by Microsoft) and a custom banned password list. Microsoft has provided an agent that is run on every DC for this to work and collects logs regarding successful for failed attempts. I would like SEM to have these logs available to make it easier for the Security Team to find the logs instead of digging into each DC. Also, this would be helpful, because we could alert on passwords being changed to Known Compromised passwords.

 

I opened a case with Support: Case # - 00321136

 

Azure AD Password Protection stores the logs here: \Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin
These events are the most helpful:

 

Password change

Password set

Pass

10014

10015

Fail (due to customer password policy)

10016, 30002

10017, 30003

Fail (due to Microsoft password policy)

10016, 30004

10017, 30005

Fail (due to combined Microsoft and customer password policies)

10016, 30026

10017, 30027

Audit-only Pass (would have failed customer password policy)

10024, 30008

10025, 30007

Audit-only Pass (would have failed Microsoft password policy)

10024, 30010

10025, 30009

Audit-only Pass (would have failed combined Microsoft and customer password policies)

10024, 30028

10025, 30029


Log Location is: C:\Windows\System32\winevt\Logs\Microsoft-AzureADPasswordProtection-DCAgent%4Admin.evtx

 

Example of XML Export:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

<Provider Name="Microsoft-AzureADPasswordProtection-DCAgent" Guid="{FCE041B2-EACD-48A2-8E09-4D5D43C0FF69}" />

<EventID>10015</EventID>

<Version>0</Version>

<Level>4</Level>

<Task>0</Task>

<Opcode>0</Opcode>

<Keywords>0x8000000000000000</Keywords>

<TimeCreated SystemTime="2019-05-29T13:36:24.434526600Z" />

<EventRecordID>2339</EventRecordID>

<Correlation ActivityID="{5EBC11EF-B8AF-47D2-A732-637B174A9AFA}" />

<Execution ProcessID="576" ThreadID="4720" />

<Channel>Microsoft-AzureADPasswordProtection-DCAgent/Admin</Channel>

<Computer>DC</Computer>

<Security UserID="S-1-5-18" />

</System>

- <EventData>

<Data Name="Data1">samaccountname</Data>

<Data Name="Data2">display name</Data>

</EventData>

</Event>

Comments

Vote history

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.