Admins, on your checklist of must-dos, monitoring Microsoft 365 user activities, Entra ID sign-ins, and identity protection risk analysis top the charts. You might start by peeking into Microsoft 365 audit logs and sign-in data for improved identity and access management. But wait, here’s the twist! 🙄

❌ Sorting through a heap of Microsoft 365 audit logs filled with all sorts of user and application activities can be overwhelming. And trying to make sense of specific details using filters? Let’s just say it’s no walk in the park. 💯

❌ You know, pictures are worth a thousand words and all that! Unfortunately, Microsoft 365 audit and sign-in logs lack visually engaging representations for vital aspects such as Microsoft 365 apps, sign-ins, Conditional Access, and SSPR. 📊

But don’t worry! Microsoft gave two extra tools to help you out: Log Analytics and Microsoft Entra workbooks. Let’s see how these tools make Microsoft 365 monitoring job a whole lot easier! 👇

What is Log Analytics in Microsoft Azure?

You might be wondering why we’re discussing Log Analytics when our focus is Workbooks. That’s a valid question! Workbooks rely on Log Analytics to fetch Entra Logs. So, let’s see about it in detail!

Log Analytics in Microsoft Azure helps you to collect, analyze, and visualize data from Azure Monitor logs. With Log Analytics, you can monitor Azure AD sign-in logs, user provisioning status, application activities, and monitor Conditional Access policies by querying data using the “Kusto Query Language (KQL)”.

How to Use Log Analytics in Microsoft Entra ID?

To use Log Analytics in Microsoft Entra ID, you need to do the following steps.

1. Create a Log Analytics Workspace in Microsoft Azure:

To create a Log Analytics workspace, you need an active Azure subscription. And then the first step involves configuring a dedicated Log Analytics workspace in Azure Monitor. This workspace acts as a secure central repository for your log data.

2. Configure Diagnostic Settings in Entra ID:

Within the “Monitoring & health” section of Entra ID, you need to configure diagnostic settings. This allows you to specify which logs (such as audit logs and sign-in logs) you want to collect and stream them to the designated Log Analytics workspace you created in Azure Monitor.

3. Analyze Data Using Kusto Query Language (KQL):

Once the data is collected in the workspace, you can utilize KQL to write queries for searching and analyzing the logs in Log Analytics. This enables you to identify trends, patterns, and potential security threats in Microsoft 365.

To run the KQL queries in Microsoft Entra Log Analytics and get audit or sign-in logs, follow the navigation below.

Microsoft Entra admin center → Monitoring & health → Log Analytics

Merely clicking on the “Log Analytics” option in Entra ID will throw you a below error message.

Log Analytics integration not enabled. This Microsoft Entra tenant is not currently enabled to send logs to Log Analytics.

To view and access Log Analytics, you need to satisfy the first 2 points.

P.S: Above is an overall comprehensive explanation of how Log Analytics gives us data. Don’t worry about the above steps, we have detailly explained them as they are the prerequisites for workbooks in Entra ID.

Pros of Using Log Analytics in Microsoft Entra ID

  • Log Analytics allows you to get alerts for risky sign-ins in Microsoft Entra ID, which will notify you via email when the conditions are met.
  • You can export query results, including the count of MFA prompts by CA policy, security defaults, per-user MFA, and more.
  • You can adjust the time frame of your queries to focus on specific periods of data.
  • Instead of starting from scratch, you can take advantage of pre-built queries for quicker analysis.
  • You can refine your query results by applying filters, sorting them in a desired order, and grouping related data together using KQL.
  • Logs such as Azure AD user sign-in logs, audit logs, Conditional Access policies and others can be visualized using bar charts for easier auditing.

Cons of Microsoft Entra Log Analytics

  • Analyzing data in Log Analytics means running queries one by one, and there’s no built-in dashboard to see multiple query results at once.
  • Plus, it lacks some visualization options, such as maps or customizable tiles, which would make it easier for beginners to interpret the data.

These downsides really affect Log Analytics in Microsoft Azure. Having consolidated reports and better visuals is crucial for understanding things well and making quick decisions. But where can we find something that meets these needs? Don’t worry! There’s a better solution coming up – Microsoft Entra workbooks. 🚀

What is Workbooks in Entra ID?

Microsoft Entra workbooks are used to customize your own interactive dashboards using data from different Azure resources. With workbooks, you can generate visually appealing and easy-to-understand reports and charts on Microsoft 365 logs, offering a consolidated view of your required data. 😎

Workbooks are available both in Microsoft Entra ID and Azure Monitor. While the concepts and processes remain consistent across both types of workbooks, there are some distinctions. Workbooks in Microsoft Entra ID specifically focus on identity and access management scenarios alone. For example, with Azure workbooks for Entra ID, you can

Monitor risky sign-ins in Microsoft 365.
Audit Microsoft 365 user and admin activity.
Export Microsoft 365 SSPR status reports.
Investigate Azure AD protection risky users.
Get service-principal sign-in report.
Monitor sign-in logs in Microsoft 365.
Get the last successful sign-in date report for Microsoft 365 users.

Benefits of Microsoft Entra Workbooks:

  • Shareable Reports: The reports you generate using your queries are easily shareable. This means you can effortlessly obtain and share handy reports on the effectiveness of Conditional Access policies, SSPR, and other crucial access management data with your co-admins.
  • Parameter-based Filtering and Visualization: Importantly, you can use parameters as filters to obtain your desired Entra user activities alone from a heap of sign-in and audit logs. Additionally, you can present this data with a variety of visualizations like pie charts, bar charts, and tiles, which will be useful to identify and troubleshoot security gaps effectively.

How to Use Azure AD Workbooks?

Just clicking on the “Workbooks” option in Entra ID won’t be enough; you’ll encounter the same error message as you would in the Log Analytics section.

To access and create identity workbooks in Microsoft Entra, there are a series of steps. Before getting into the steps, check the respective roles and licenses needed.

Subscription License Role
Azure Subscription Microsoft Entra ID Premium P1 Read-only access: (To view only, query data in workbooks)
Reports Reader
Security Reader
Global Reader

Update: (Extra capability to create and edit diagnostic settings to send to Log Analytics workspace)
Security Administrator

Here are the detailed steps to use Entra workbooks in Microsoft 365.

  1. Create a Log Analytics workspace in Microsoft Azure Monitor.
  2. Configure diagnostic settings in Microsoft Entra ID.
  3. Use Workbooks to analyze Microsoft Entra activity logs.

1. Create a Log Analytics Workspace in Microsoft Azure Monitor

As mentioned earlier, a Log Analytics workspace serves as the logical storage unit where your log data is collected and stored. Entra workbooks will utilize the data from this workspace and present you with a visual representation of Entra logs.

So, you need to create a Log Analytics workspace by following the steps below.

1. Sign in to the Azure portal.
2. In the search box, type “Log Analytics workspaces” and select it from the search results.
3. Click on “+ Create” to start creating a new workspace.
4. On the “Create Log Analytics workspace” page, you’ll need to specify the following options:

  • Subscriptions: Choose your Azure subscription from the dropdown menu.
  • Resource Group: Select an existing resource group from the dropdown menu or create a new one by clicking “+ Create new” and providing a name.
    • The resource group is a logical container that helps you organize and manage related Azure services.
  • Workspace name: Enter a suitable name for your workspace.
  • Region: Choose the Azure subscription location from the dropdown menu, such as “Central US”.

5. After filling in these options, click on “Review + Create” at the bottom of the page.
6. Once the validation is passed and there are no errors, click on “Create” to deploy the workspace in Azure.

Create a Log Analytics Workspace to use Microsoft Entra workbooks
Create a Log Analytics Workspace

You might think that by creating a workspace, we’ve cleared the prerequisite for accessing workbooks. However, that’s not the case. Think of it like setting up a storage place without any data stored in it yet. To use workbooks and produce user-friendly, interactive logs and data dashboards, you must fetch data into the workspace. To do it, let’s follow the steps below.

2. Configure Diagnostic Settings in Microsoft Entra ID

Diagnostic settings in Entra ID are used to fetch Entra logs and metrics from a resource to a destination. You can create up to five diagnostic settings to export various logs and metrics to different destinations.

This is a crucial step, as it enables us to fetch Microsoft Entra activity logs to a Log Analytics Workspace using this feature.

To configure diagnostic settings for Microsoft Entra logs, follow these steps:

1. Sign in to the Microsoft Entra admin center.
2. Navigate to the Identity section and select “Diagnostic settings” from the Monitoring & health section.
3. Click the “+ Add diagnostic setting” link.
4. Provide a suitable name for your new diagnostic setting.
5. Under the Logs section, choose categories like AuditLogs, SignInLogs, or any other Entra logs you wish to export and analyze.
6. In the Destination details section, select the “Send to Log Analytics workspace” option.
7. Specify the respective subscription and the created Log Analytics workspace from the dropdown.
8. Finally, proceed to save the diagnostic settings.

Configure Diagnostic Settings to use Microsoft Entra workbooks
Configure Diagnostic Settings in Microsoft Entra ID

3. How to Use Microsoft Entra Workbooks to Analyze M365 Activity Logs?

That’s it! You have successfully exported the Entra logs to the dedicated Log Analytics workspace. Now, you can analyze identity and access management activities via workbooks.

To access Microsoft Entra workbooks, navigate to

Microsoft Entra admin center Monitoring & health Workbooks

Once done, you will be landed on the Workbook page with four tabs.

  • All: Shows all the items, such as workbooks, public templates, and my templates.
  • Workbooks: Lists all your created or shared workbooks.
  • Public Templates: Displays ready-to-use workbook templates from Microsoft.
  • My Templates: Templates that are shared with you.
Microsoft Entra Workbook Gallery Page
Microsoft Entra Workbook Gallery Page

Microsoft provides public templates designed to serve as starting points with reusable capabilities, classified under different categories. Some of the public templates are,

Authentication Prompts Analysis Workbook

With this authentication prompts analysis workbook, you can get,

  • Count of MFA prompts by authentication method, device state, application, user.
  • Average MFA prompts based on applications.
  • Total count of interactive and non-interactive sign-ins.
  • MFA prompts by CA policy, security defaults, per-user MFA, and more.
How to use Microsoft Entra Workbooks for Authentication Prompt analysis
Authentication Prompt Analyzer Workbook

Conditional Access Gap Analyzer Workbook

With this Conditional Access gap analyzer workbook, you can get,

  • Sign-ins using legacy authentication in Microsoft 365.
  • Number of sign-ins by application not satisfied by CA policies.
  • High-risk sign-ins bypassing Conditional Access policies.
  • Conditional Access policy impact on sign-ins.
  • Named locations with no Conditional Access.
How to use Entra workbooks in Microsoft 365 to analyze Conditional Access Gap
Conditional Access Gap Analyzer Workbook

Cross-tenant Access Activity Workbook

With this workbook, you can get,

  • List of inbound and outbound access activity by tenant ID.
  • Sign-in status for inbound and outbound collaboration.
  • Applications accessed by inbound and outbound collaboration.
  • Number of external tenants with cross-tenant access activity.
  • Inbound sign-ins from external Microsoft Entra organizations.
  • All outbound sign-ins by your users to external Microsoft Entra organizations.
Cross-tenant Access Settings Workbook
Cross-tenant Access Settings Workbook

Sign-ins Analysis Workbook (Preview)

With this sign-in failure analysis workbook, you can get,

  • Summary of Entra ID sign-ins.
  • Top sign-in errors by Microsoft 365 user and IP.
  • Sign-in by location.
Sign in Analysis Preview Workbook
Sign in Analysis Preview Workbook

The above templates are a few of them, you can also have the MFA gaps workbook, Conditional Access insights and reporting, and risk-based access policies workbook templates. When you open a pre-built template, a workbook is automatically generated and filled with the content from the template. This allows users to quickly access pre-configured structures and data. But you can also edit the built-in templates based on your requirements. Let’s see that in detail!

Edit Workbook Templates in Microsoft 365

Initially, the Workbook templates are presented in a read-only format, ensuring the preservation of the original template. However, users can modify the default template using the “Edit” option, accessible under each object in the workbook.

Edit a Microsoft Entra Workbook
Edit a Microsoft Entra Workbook

This enables users to tailor texts, parameters, links, and queries according to their requirements. For example, you can tweak the pre-built workbook templates to,

✅ Conditional Access policies in report-only mode.
✅ Get sign-ins successfully blocked sign-ins by CA policy.
✅ Find applications not protected by CA policies.
✅ Export M365 users’ self-service password reset status.
✅ Get Conditional Access policies require MFA for admins portals.
✅ Monitor sign-in logs of Microsoft 365 admins.
✅ View all Microsoft 365 users’ last logon time.
✅ Check the last login date for admins.
✅ Get MFA-enabled users report.
✅ List Office 365 users without MFA.
✅ Audit Office 365 user activity report.
✅ Export Office 365 users’ activity history for the past 90 days.
✅ Get service principal sign-in count over time.
✅ Analyze excessive MFA prompts on specific users.
✅ Get risk-based Conditional Access policies.

Upon completing the modifications, users can save the Workbook by selecting “Done Editing” and providing necessary details such as an appropriate name, subscription, resource group, and location. Subsequently, the modified workbook is stored in the “Workflows” gallery tab, offering easy access and management for future use.

Summing Up

The best part? You can also craft your own personalized Entra workbook tailored to your specific insights on Entra activity logs effortlessly. How? Stay tuned for our upcoming blog where we will guide you through each step, empowering you with the complete know-how to create a personalized workbook in Entra ID.

We trust this blog has provided you with an overall understanding of how to use Entra workbooks effectively. Moreover, if you have any queries, don’t hesitate to reach out to us. We’re here to help.