Just a friendly reminder that the Microsoft sensitive operations report workbook exists and can be super helpful.
For those unfamiliar, it's an Azure Monitor workbook designed to capture activities/events that could be critical or impactful for Azure AD. Examples include:
- Modified application and service principal credentials/authentication methods
- New permissions granted to service principals
- Directory role and group membership updates for service principals
- Modified federation settings
To be clear, it's not a replacement for a modern SIEM (that's always necessary) but it's a nice mechanism for quickly observing potentially impactful actions happening in Azure AD.