TODO: render the user informations more flexible. Currently only the company name is collected.
Azure AD signing logs can be sent to log analytics :)
On some tenants these logs can take up quite a bit of storage.
This projects aims at consolidating those logs at some time interval to lower the storage needed.
Admitedly these don't replace the original logs but they can give a sense of the amount and type of signins on a tenant.
Ok... bear with me there...
+-----------+
| Azure AD |
| User info | +--------------------+
+-----+-----+ -> Log Analytics |
+---------+ | / | "simple" dashboard |
| sign-in | +-------+ +-----------+ +----v-----+ +-----------+ / +--------------------+
| logs +---> event +---> stream +---> Azure +---> Log |/
| ------- | | hub | | analytics | | function | | Analytics |\
| ------- | +-------+ +-----------+ +----^-----+ +-----------+ \
+---------/ | \ +-------------------+
+---v---+ -> Kibana |
| redis | | dynamic dashboard |
| cache | +-------------------+
+-------+
- Azure AD signin logs are configured to be exported to an event hub
- Stream Analytics picks up event from event hub and concatenate them per time slice (i.e. hours). Events are batched to an Azure function for enrichement.
- An Azure function recieves the events batch and fetches user information from Azure AD (companyname) and caches it to redis
- The aggregated and enriched information is sent to log analytics
TODO: complete setup instructions