Merge pull request #178861 from MarkusVi/workbook01

Workbook01

Author: ttorble

articles/active-directory/reports-monitoring/media/workbook-conditional-access-gap-analyzer/conditianal-access-by-location.png

@@ -117,3 +117,9 @@
     href: reports-faq.yml
   - name: Sign-in log schema
     href: reference-azure-monitor-sign-ins-log-schema.md
+  - name: Workbooks
+    items:
+    - name: Conditional access gap analyzer
+      href: workbook-conditional-access-gap-analyzer.md
+    - name: Sensitive Operations Report 
+      href: workbook-sensitive-operations-report.md

articles/active-directory/reports-monitoring/media/workbook-conditional-access-gap-analyzer/time-range.png

@@ -0,0 +1,91 @@
+---
+
+title: Conditional access gap analyzer workbook in  Azure AD | Microsoft Docs
+description: Learn how to use the conditional access gap analyzer workbook.
+services: active-directory
+documentationcenter: ''
+author: MarkusVi
+manager: karenho
+editor: ''
+
+ms.service: active-directory
+ms.topic: reference
+ms.workload: identity
+ms.subservice: report-monitor
+ms.date: 11/05/2021
+ms.author: markvi
+ms.reviewer: sarbar 
+
+ms.collection: M365-identity-device-management
+---
+
+# Conditional access gap analyzer workbook
+
+In Azure AD, you can protect access to your resources by configuring conditional access policies.
+As an IT administrator, you want to ensure that your conditional access policies work as expected to ensure that your resources are properly protected. With the conditional access gap analyzer workbook, you can detect gaps in your conditional access implementation.  
+
+This article provides you with an overview of this workbook.
+
+
+## Description
+
+![Workbook category](./media/workbook-conditional-access-gap-analyzer/workbook-category.png)
+
+As an IT administrator, you want to make sure that only the right people can access your resources. Azure AD conditional access helps you to accomplish this goal.  
+
+The conditional access gap analyzer workbook helps you to verify that your conditional access policies work as expected.
+
+**This workbook:**
+
+- Highlights user sign-ins that have no conditional access policies applied to them. 
+- Allows you to ensure that there are no users, applications, or locations that have been unintentionally excluded from conditional access policies.  
+
+ 
+
+## Sections
+
+
+The workbook has four sections:  
+
+- Users signing in using legacy authentication 
+
+- Number of sign-ins by applications that are not impacted by conditional access policies 
+
+- High risk sign-in events bypassing conditional access policies 
+
+- Number of sign-ins by location that were not affected by conditional access policies 
+
+
+![Conditional access coverage by location](./media/workbook-conditional-access-gap-analyzer/conditianal-access-by-location.png)
+
+Each of these trends offers a breakdown of sign-ins to the user level, so that you can see which users per scenario are bypassing conditional access. 
+
+## Filters
+
+This workbook supports setting a time range filter.
+
+![Time range filter](./media/workbook-conditional-access-gap-analyzer/time-range.png)
+
+
+
+## Best practices
+
+Use this workbook to ensure that your tenant is configured to the following Conditional Access best practices:  
+
+- Block all legacy authentication sign-ins 
+
+- Apply at least one Conditional Access Policy to every application 
+
+- Block all high risk sign-ins  
+
+- Block sign-ins from untrusted locations  
+
+ 
+
+
+
+
+
+## Next steps
+
+- [How to use Azure AD workbooks](howto-use-azure-monitor-workbooks.md)

articles/active-directory/reports-monitoring/media/workbook-conditional-access-gap-analyzer/workbook-category.png

@@ -0,0 +1,161 @@
+---
+
+title: Sensitive operations report workbook in  Azure AD | Microsoft Docs
+description: Learn how to use the sensitive operations report workbook.
+services: active-directory
+documentationcenter: ''
+author: MarkusVi
+manager: karenho
+editor: ''
+
+ms.service: active-directory
+ms.topic: reference
+ms.workload: identity
+ms.subservice: report-monitor
+ms.date: 11/05/2021
+ms.author: markvi
+ms.reviewer: sarbar 
+
+ms.collection: M365-identity-device-management
+---
+
+# Sensitive operations report workbook
+
+As an It administrator, you need to be able to identify compromises in your environment to ensure that you can keep it in a healthy state. 
+
+The sensitive operations report workbook is intended to help identify suspicious application and service principal activity that may indicate compromises in your environment.
+
+
+This article provides you with an overview of this workbook.
+
+
+## Description
+
+![Workbook category](./media/workbook-sensitive-operations-report/workbook-category.png)
+
+This workbook identifies recent sensitive operations that have been performed in your tenant and which may service principal compromise.
+
+If your organization is new to Azure monitor workbooks, you need to integrate your Azure AD sign-in and audit logs with Azure Monitor before accessing the workbook. This allows you to store, and query, and visualize your logs using workbooks for up to two years. Only sign-in and audit events created after Azure Monitor integration will be stored, so the workbook will not contain insights prior to that date. Learn more about the prerequisites to Azure Monitor workbooks for Azure Active Directory. If you have previously integrated your Azure AD sign-in and audit logs with Azure Monitor, you can use the workbook to assess past information. 
+ 
+ 
+
+## Sections
+
+This workbook is split into four sections:
+
+![Workbook sections](./media/workbook-sensitive-operations-report/workbook-sections.png)
+
+
+- **Modified application and service principal credentials/authentication methods** - This report flags actors who have recently changed many service principal credentials, as well as how many of each type of service principal credentials have been changed.
+
+- **New permissions granted to service principals** - This workbook also highlights recently granted OAuth 2.0 permissions to service principals. 
+
+- **Directory role and group membership updates for service principals**
+
+
+
+- **Modified federation settings** - This report highlights when a user or application modifies federation settings on a domain. For example, it reports when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain. Modification to domain federation settings should be rare. 
+
+
+
+
+### Modified application and service principal credentials/authentication methods
+
+One of the most common ways for attackers to gain persistence in the environment is by adding new credentials to existing applications and service principals. The credentials allow the attacker to authenticate as the target application or service principal, granting them access to all resources to which it has permissions.
+
+This section includes the following data to help you detect:
+
+- All new credentials added to apps and service principals, including the credential type
+
+- Top actors and the amount of credentials modifications they performed
+
+- A timeline for all credential changes
+
+
+
+### New permissions granted to service principals
+
+In cases where the attacker cannot find a service principal or an application with a high privilege set of permissions through which to gain access, they will often attempt to add the permissions to another service principal or app.
+
+This section includes a breakdown of the AppOnly permissions grants to existing service principals. Admins should investigate any instances of excessive high permissions being granted, including, but not limited to, Exchange Online, Microsoft Graph and Azure AD Graph.
+
+
+### Directory role and group membership updates for service principals 
+
+Following the logic of the attacker adding new permissions to existing service principals and applications, another approach is adding them to existing directory roles or groups.
+
+This section includes an overview of all changes made to service principal memberships and should be reviewed for any additions to high privilege roles and groups.
+
+
+
+### Modified federation settings
+
+Another common approach to gain a long-term foothold in the environment is to:
+
+- Modify the tenant’s federated domain trusts.
+- Add an additional SAML IDP that is controlled by the attacker as a trusted authentication source. 
+
+This section includes the following data:
+
+- Changes performed to existing domain federation trusts
+
+- Addition of new domains and trusts
+
+
+  
+
+
+## Filters
+
+This paragraph lists the supported filters for each section.
+
+
+### Modified Application and Service Principal Credentials/Authentication Methods
+
+- Time range
+- Operation name
+- Credential
+- Actor
+- Exclude actor
+
+
+### New permissions granted to service principals
+
+- Time range
+- Client app
+- Resource
+
+### Directory role and group membership updates to service principals
+
+- Time range
+- Operation
+- Initiating user or app
+
+### Modified federation settings
+
+- Time range
+- Operation
+- Initiating user or app
+
+
+
+
+## Best practices
+
+
+**Use:**
+ 
+- **Modified application and service principal credentials** to look out for credentials being added to service principals that are not frequently used in your organization. Use the filters present in this section to further investigate any of the suspicious actors or service principals that were modified.
+
+
+- **New permissions granted to service principals** to look out for broad or excessive permissions being added to service principals by actors that may be compromised.  
+
+- **Modified federation settings** section to confirm that the added or modified target domain/URL is a legitimate admin behavior. Actions that modify or add domain federation trusts are rare and should be treated as high fidelity to be investigated as soon as possible.
+
+
+
+
+
+## Next steps
+
+- [How to use Azure AD workbooks](howto-use-azure-monitor-workbooks.md)