Sponsored byMonitoring Active Directory: Both Azure AD and On-Premise AD – and How
Synchronization and Federation Play In
© 2016 Monterey Technology Group Inc.
Preview of key points
Today’s hybrid Active Directory environment
On-Prem AD
Azure AD
Synchronization with Azure AD Connect
Federation
Audit log management On prem
Cloud
Connecting it all together
Enterprise audit and monitoring for the entry hybrid environment
On-Prem AD auditing
System level Windows on Domain
Controllers
User rights
Security policies
System operations
Logons
Audit categories
All except those below
Active Directory Users, groups, computers,
OUs, Group Policy Objects
Audit categories
Account Management
Directory Service Access
Directory Service Changes
Destination Security log on each
domain controller
Domain controllersand their local Security Logs
Security Log
Windows
AD
Windows
AD
Windows
AD
Security Log
Security Log
Audit policies• User management• Group management• Computer
management
Audit policies• User management• Group management• Computer
management
Account Management Audit policies• User management• Group management• Computer
managementDirectory Service Categories• Audit Directory
Changes
Audit policies• User management• Group management• Computer management
Audit policies• User management• Group management• Computer management
Audit policies• All others
Azure AD auditing
System level Not applicable
Active Directory Users, groups, computers
Audit categories Not applicable – on by default
Destination Initial
Graph API
All Azure events
Office 365 Unified Audit Log Azure AD events
Azure Active Directory
GraphGraph API
O365Mgt Activity API
Do you need to audit Azure AD?
In almost all cases you are synchronizing on-prem AD to Azure AD
So if Azure AD is just a projection of on-prem AD why monitor?
Synch’d objects from on-prem is only a subset of the objects in Azure AD
Including very important tenant admin accounts
Creating a blind spot against one of the most important risks
Intruder gains privileged access to your tenant
Objects
Objects
Sync'd
How does federation affect the story?
Federation impacts authentication not account management and directory security
You still have On-prem AD
Azure AD
Both can still suffer harm from mistakes, unauthorized changes and intrusion
Federation Centralizes more of your
authentication/logon audit log
Provides a central chokepoint at which
Enforce policies
Observe access patterns and anomalies
Deny access
ADFS, et al
Objects
Objects
Sync'd
Audit log management
On-Prem Active Directory Audit log policy
Log collection
Interpreting events
Domain controllersand their local Security Logs
Security Log
Windows
AD
Windows
AD
Windows
AD
Security Log
Security Log
?
Audit log management
Azure AD Audit policy
Log collection Office 365
Management Activity API
Azure Graph API
Interpreting events
Azure Active Directory
Graph
O365
?
Bottom line
Active Directory is the foundation of security On-prem
In the cloud
Impossible to be compliant and secure without monitoring it On-prem
In the cloud
On-prem AD and Azure AD both do a fair job of generating audit events
But what about Collection
Search
Reporting
Secure archival
Correlation
Alerting
Check out Netwrix
© 2016 Monterey Technology Group Inc.
Netwrix Auditor
A visibility and governance platform that enables control over
changes, configurations, and access in hybrid cloud IT environments by
providing security analytics to detect anomalies in user behavior and
investigate threat pattern before a data breach occurs.
About Netwrix Auditor
Netwrix Auditor Applications
Netwrix Auditor for Office 365
Netwrix Auditor for EMC
Netwrix Auditor for Active Directory
Netwrix Auditor for Windows File Servers
Netwrix Auditor for Windows Server
Netwrix Auditor for VMware
Netwrix Auditor for Exchange
Netwrix Auditor for SQL Server
Netwrix Auditor for SharePoint
Netwrix Auditor for NetApp
Netwrix Auditor Platform
Netwrix Auditor for Azure AD
Netwrix Auditor for Oracle Database
Why Netwrix Auditor?
Sharp focus on visibility and governance
Broadest coverage of on-premises and cloud systems
Truly integrated as opposed to multiple hard-to-integrate standalone tools from other vendors
Noise-free security analytics
Non-intrusive architecture
API-enabled ecosystem integrations
Cost-effective two-tiered storage (file-based + SQL database) holding consolidated audit data for more than
10 years
Fast, 15-minute deployment, with no professional services required
First-class, U.S.-based customer support with 97% customer satisfaction
Next Steps
Free Trial: setup in your own test environment
netwrix.com/freetrial
Virtual Appliance: get Netwrix Auditor up and running in minutes
netwrix.com/go/appliance
Test Drive: virtual POC, try in a Netwrix-hosted test lab
netwrix.com/testdrive
Live One-to-One Demo: product tour with Netwrix expert
netwrix.com/livedemo
Contact Sales to obtain more information
netwrix.com/contactsales
Upcoming and On-Demand Netwrix Webinars:
join upcoming webinars or watch the recorded sessions
netwrix.com/webinars
netwrix.com/webinars#featured