[AzureADDS] Resolving TOC merge conflict

Author: iainfoulds

articles/active-directory-domain-services/TOC.yml

@@ -91,6 +91,8 @@
           href: password-policy.md
         - name: Enable security audit events
           href: security-audit-events.md
+        - name: Analyze audit events with Azure Monitor Workbooks
+          href: use-azure-monitor-workbooks.md
         - name: Secure remote access to VMs
           href: secure-remote-vm-access.md
     - name: Domain-join VMs

articles/active-directory-domain-services/media/use-azure-monitor-workbooks/account-activity-report-cropped.png

@@ -0,0 +1,116 @@
+---
+title: Use Azure Monitor Workbooks with Azure AD Domain Services | Microsoft Docs
+description: Learn how to use Azure Monitor Workbooks to review security audits and understand issues in an Azure Active Directory Domain Services managed domain.
+author: iainfoulds
+manager: daveba
+
+ms.service: active-directory
+ms.subservice: domain-services
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 03/18/2020
+ms.author: iainfou
+
+---
+# Review security audit events in Azure AD Domain Services using Azure Monitor Workbooks
+
+To help you understand the state of your Azure Active Directory Domain Services (Azure AD DS) managed domain, you can enable security audit events. These security audit events can then be reviewed using Azure Monitor Workbooks that combine text, analytics queries, and parameters into rich interactive reports. Azure AD DS includes workbook templates for security overview and account activity that let you dig into audit events and manage your environment.
+
+This article shows you how to use Azure Monitor Workbooks to review security audit events in Azure AD DS.
+
+## Before you begin
+
+To complete this article, you need the following resources and privileges:
+
+* An active Azure subscription.
+    * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory.
+    * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant].
+* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
+    * If needed, complete the tutorial to [create and configure an Azure Active Directory Domain Services instance][create-azure-ad-ds-instance].
+* Security audit events enabled for your Azure Active Directory Domain Services managed domain that stream data to a Log Analytics workspace.
+    * If needed, [enable security audits for Azure Active Directory Domain Services][enable-security-audits].
+
+## Azure Monitor Workbooks overview
+
+When security audit events are turned on in Azure AD DS, it can be hard to analyze and identify issues in the managed domain. Azure Monitor lets you aggregate these security audit events and query the data. With Azure Monitor Workbooks, you can visualize this data to make it quicker and easier to identify issues.
+
+Workbook templates are curated reports that are designed for flexible reuse by multiple users and teams. When you open a workbook template, the data from your Azure Monitor environment is loaded. You can use templates without an impact on other users in your organization, and can save your own workbooks based on the template.
+
+Azure AD DS includes the following two workbook templates:
+
+* Security overview report
+* Account activity report
+
+For more information about how to edit and manage workbooks, see [Azure Monitor Workbooks overview](../azure-monitor/platform/workbooks-overview.md).
+
+## Use the security overview report workbook
+
+To help you better understand usage and identify potential security threats, the security overview report summarizes sign-in data and identifies accounts you might want to check on. You can view events in a particular date range, and drill down into specific sign-in events, such as bad password attempts or where the account was disabled.
+
+To access the workbook template for the security overview report, complete the following steps:
+
+1. Search for and select **Azure Active Directory Domain Services** in the Azure portal.
+1. Select your managed domain, such as *aaddscontoso.com*
+1. From the menu on the left-hand side, choose **Monitoring > Workbooks**
+
+    ![Select the Workbooks menu option in the Azure portal](./media/use-azure-monitor-workbooks/select-workbooks-in-azure-portal.png)
+
+1. Choose the **Security Overview Report**.
+1. From the drop-down menus at the top of the workbook, select your Azure subscription and then Azure Monitor workspace. Choose a **Time range**, such as *Last 7 days*.
+
+    ![Select the Workbooks menu option in the Azure portal](./media/use-azure-monitor-workbooks/select-query-filters.png)
+
+    The **Tile view** and **Chart view** options can also be changed to analyze and visualize the data as desired
+
+1. To drill down into a specific event type, select the one of the **Sign-in result** cards such as *Account Locked Out*, as shown in the following example:
+
+    ![Example Security Overview Report data visualized in Azure Monitor Workbooks](./media/use-azure-monitor-workbooks/example-security-overview-report.png)
+
+1. The lower part of the security overview report below the chart then breaks down the activity type selected. You can filter by usernames involved on the right-hand side, as shown in the following example report:
+
+    [![](./media/use-azure-monitor-workbooks/account-lockout-details-cropped.png "Details of account lockouts in Azure Monitor Workbooks")](./media/use-azure-monitor-workbooks/account-lockout-details.png#lightbox)
+
+## Use the account activity report workbook
+
+To help you troubleshoot issues for a specific user account, the account activity report breaks down detailed audit event log information. You can review when a bad username or password was provided during sign-in, and the source of the sign-in attempt.
+
+To access the workbook template for the account activity report, complete the following steps:
+
+1. Search for and select **Azure Active Directory Domain Services** in the Azure portal.
+1. Select your managed domain, such as *aaddscontoso.com*
+1. From the menu on the left-hand side, choose **Monitoring > Workbooks**
+1. Choose the **Account Activity Report**.
+1. From the drop-down menus at the top of the workbook, select your Azure subscription and then Azure Monitor workspace. Choose a **Time range**, such as *Last 30 days*, then how you want the **Tile view** to represent the data. You can filter by **Account username**, such as *felix*, as shown in the following example report:
+
+    [![](./media/use-azure-monitor-workbooks/account-activity-report-cropped.png "Account activity report in Azure Monitor Workbooks")](./media/use-azure-monitor-workbooks/account-activity-report.png#lightbox)
+
+    The area below the chart shows individual sign-in events along with information such as the activity result and source workstation. This information can help determine repeated sources of sign-in events that may cause account lockouts or indicate a potential attack.
+
+As with the security overview report, you can drill down into the different tiles at the top of the report to visualize and analyze the data as needed.
+
+## Save and edit workbooks
+
+The two template workbooks provided by Azure AD DS are a good place to start with your own data analysis. If you need to get more granular in the data queries and investigations, you can save your own workbooks and edit the queries.
+
+1. To save a copy of one of the workbook templates, select **Edit > Save as > Shared reports**, then provide a name and save it.
+1. From your own copy of the template, select **Edit** to enter the edit mode. You can choose the blue **Edit** button next to any part of the report and change it.
+
+All of the charts and tables in Azure Monitor Workbooks are generated using Kusto queries. For more information on creating your own queries, see [Azure Monitor log queries][azure-monitor-queries] and [Kusto queries tutorial][kusto-queries].
+
+## Next steps
+
+If you need to adjust password and lockout policies, see [Password and account lockout policies on managed domains][password-policy].
+
+For problems with users, learn how to troubleshoot [account sign-in problems][troubleshoot-sign-in] or [account lockout problems][troubleshoot-account-lockout].
+
+<!-- INTERNAL LINKS -->
+[create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md
+[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md
+[create-azure-ad-ds-instance]: tutorial-create-instance.md
+[enable-security-audits]: security-audit-events.md
+[password-policy]: password-policy.md
+[troubleshoot-sign-in]: troubleshoot-sign-in.md
+[troubleshoot-account-lockout]: troubleshoot-account-lockout.md
+[azure-monitor-queries]: ../azure-monitor/log-query/query-language.md
+[kusto-queries]: https://docs.microsoft.com/azure/kusto/query/tutorial?pivots=azuredataexplorer

articles/active-directory-domain-services/media/use-azure-monitor-workbooks/account-activity-report.png

@@ -6,41 +6,25 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: article
-ms.date: 02/25/2020
+ms.date: 03/18/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: daveba
-ms.reviewer: calebb
+ms.reviewer: inbarc
 
 ms.collection: M365-identity-device-management
 ---
 # Custom controls (preview)
 
-Custom controls are a capability of the Azure Active Directory Premium P1 edition. When using custom controls, your users are redirected to a compatible service to satisfy further requirements outside of Azure Active Directory. To satisfy this control, a user's browser is redirected to the external service, performs any required authentication or validation activities, and is then redirected back to Azure Active Directory. Azure Active Directory verifies the response and, if the user was successfully authenticated or validated, the user continues in the Conditional Access flow.
+Custom controls is a preview capability of the Azure Active Directory. When using custom controls, your users are redirected to a compatible service to satisfy authentication requirements outside of Azure Active Directory. To satisfy this control, a user's browser is redirected to the external service, performs any required authentication, and is then redirected back to Azure Active Directory. Azure Active Directory verifies the response and, if the user was successfully authenticated or validated, the user continues in the Conditional Access flow.
 
-These controls allow the use of certain external or custom services as Conditional Access controls, and generally extend the capabilities of Conditional Access.
-
-Providers currently offering a compatible service include:
-
-- [Duo Security](https://duo.com/docs/azure-ca)
-- [Entrust Datacard](https://www.entrustdatacard.com/products/authentication/intellitrust)
-- [GSMA](https://mobileconnect.io/azure/)
-- [Ping Identity](https://documentation.pingidentity.com/pingid/pingidAdminGuide/index.shtml#pid_c_AzureADIntegration.html)
-- [RSA](https://community.rsa.com/docs/DOC-81278)
-- [SecureAuth](https://docs.secureauth.com/pages/viewpage.action?pageId=47238992#)
-- [Silverfort](https://www.silverfort.io/company/using-silverfort-mfa-with-azure-active-directory/)
-- [Symantec VIP](https://help.symantec.com/home/VIP_Integrate_with_Azure_AD)
-- [Thales (Gemalto)](https://resources.eu.safenetid.com/help/AzureMFA/Azure_Help/Index.htm)
-- [Trusona](https://www.trusona.com/docs/azure-ad-integration-guide)
-
-For more information on those services, contact the providers directly.
+> [!NOTE]
+> For more information about changes we are planning to the Custom Control capability, see the February 2020 [What's new update](../fundamentals/whats-new.md#upcoming-changes-to-custom-controls).
 
 ## Creating custom controls
 
-To create a custom control, you should first contact the provider that you wish to utilize. Each non-Microsoft provider has its own process and requirements to sign up, subscribe, or otherwise become a part of the service, and to indicate that you wish to integrate with Conditional Access. At that point, the provider will provide you with a block of data in JSON format. This data allows the provider and Conditional Access to work together for your tenant, creates the new control and defines how Conditional Access can tell if your users have successfully performed verification with the provider.
-
-Custom controls cannot be used with Identity Protection's automation requiring multi-factor authentication or to elevate roles in Privileged Identity Manager (PIM).
+Custom Controls works with a limited set of approved authentication providers. To create a custom control, you should first contact the provider that you wish to utilize. Each non-Microsoft provider has its own process and requirements to sign up, subscribe, or otherwise become a part of the service, and to indicate that you wish to integrate with Conditional Access. At that point, the provider will provide you with a block of data in JSON format. This data allows the provider and Conditional Access to work together for your tenant, creates the new control and defines how Conditional Access can tell if your users have successfully performed verification with the provider.
 
 Copy the JSON data and then paste it into the related textbox. Do not make any changes to the JSON unless you explicitly understand the change you're making. Making any change could break the connection between the provider and Microsoft and potentially lock you and your users out of your accounts.
 
@@ -64,6 +48,10 @@ To delete a custom control, you must first ensure that it isn't being used in an
 
 To edit a custom control, you must delete the current control and create a new control with the updated information.
 
+## Known limitations
+
+Custom controls cannot be used with Identity Protection's automation requiring Azure Multi-Factor Authentication, Azure AD self-service password reset (SSPR), satisfying multi-factor authentication claim requirements, or to elevate roles in Privileged Identity Manager (PIM).
+
 ## Next steps
 
 - [Conditional Access common policies](concept-conditional-access-policy-common.md)