locked
ADFS Security Monitoring RRS feed

  • Question

  • Good Day

    I am looking for way to monitor several events in ADFS. First we need to monitor events such as Logons and Logoffs, along with changes made to claim rules. 

    So far this is the general requirements, I am enabled the events logs in ADFS and am not receiving logon and logoff events in the "Security" not in event viewer, and am not sure how to enable claim rule changes or it can even be done.

    Any help would be appreciated
    Tuesday, January 7, 2020 10:27 AM

Answers

  • You don't have to install the Azure AD Connect Health Agent on the WAPs to get the login/audit information in the monitoring portal.

    But I'd install it on the WAPs as it will also tell you if something is wrong with them the case be.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by mrgonzales Tuesday, January 14, 2020 1:51 PM
    Saturday, January 11, 2020 2:52 PM

All replies

  • Auditing of the AD FS service account is disabled by default. You need to enable security auditing for success and failure both.

    Get in detailed here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging

    Additionally, you may also get help from Event Log Management Solution ( https://www.lepide.com/event-log-manager/ ) to manage all events from one console and create alerts for specific events


    Tuesday, January 7, 2020 11:05 AM
  • ADFS Auditing settings and configurations are explained here:

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging

    For the logons, it is quite straight forward. Note that as mentioned in the document aforementioned, there are 2 settings to configure. One in ADFS, one at the OS level.

    Note that for the rule changes, it is easy to get that a rule has changed, but hard to get what was the change. You can script stuff eventually (like an event trigger exporting the rules once the event shows up). 

    If you have an Azure AD Premium license, you can also use Azure AD Connect Health as an ADFS monitoring solution (even f you don't use Azure AD, you just need a license). Then you'll have stats and dashboard online: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-adfs


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Tuesday, January 7, 2020 2:30 PM
  • Thanks that help a lot.... One more question, does the have to be done on all servers in the farm and does it also need to be set up on the WAP servers. do any agents need to be installed?
    Tuesday, January 7, 2020 8:50 PM
  • You don't have to install the Azure AD Connect Health Agent on the WAPs to get the login/audit information in the monitoring portal.

    But I'd install it on the WAPs as it will also tell you if something is wrong with them the case be.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by mrgonzales Tuesday, January 14, 2020 1:51 PM
    Saturday, January 11, 2020 2:52 PM
  • what will the event IDs when the claim rules get edited? 
    Tuesday, January 14, 2020 4:35 PM