workbooks-120424

docs/identity/app-provisioning/application-provisioning-log-analytics.md

@@ -1,13 +1,13 @@
 ---
-title: Understand how Provisioning integrates with Azure Monitor logs in Microsoft Entra ID.
-description: Understand how Provisioning integrates with Azure Monitor logs in Microsoft Entra ID.
-
+title: Learn how Provisioning logs integrate with Azure Monitor
+description: Learn how to integrate Microsoft Entra Provisioning logs with Azure Monitor logs and use the associated workbooks.
+ 
 author: kenwith
 manager: amycolannino
 ms.service: entra-id
 ms.subservice: app-provisioning
 ms.topic: conceptual
-ms.date: 11/01/2024
+ms.date: 12/04/2024
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
@@ -137,31 +137,45 @@ AADProvisioningLogs
 ```
 ## Custom alerts
 
-Azure Monitor lets you configure custom alerts so that you can get notified about key events related to Provisioning. For example, you might want to receive an alert on spikes in failures. Or perhaps spikes in disables or deletes. Another example of where you might want to be alerted is a lack of any provisioning, which indicates something is wrong.
+Azure Monitor lets you configure custom alerts so that you can get notified about key events related to Provisioning. For example, you might want to receive an alert on spikes in failures spikes in disables or deletes. You might also want to be alerted if there is a lack of any provisioning, which indicates something is wrong.
 
-To learn more about alerts, see [Azure Monitor Log Alerts](/azure/azure-monitor/alerts/alerts-create-new-alert-rule).
+To learn more about alerts, see [Azure Monitor Log Alerts](/azure/azure-monitor/alerts/alerts-create-new-alert-rule). There are many options and configurations, so review the documentation. But at a very high-level, here's how you can create an alert:
 
-Alert when there's a spike in failures. Replace the jobID with the jobID for your application.
+1. From Log Analytics, select **+ New alert rule**.
+1. On the **Condition** tab, select the **View result and edit query in Logs** link.
+1. Enter a query you want to alert on, and complete the necessary fields to create the alert.
 
-:::image type="content" source="media/application-provisioning-log-analytics/alert1.png" alt-text="Screenshot of an alert when there's a spike in failures." lightbox="media/application-provisioning-log-analytics/alert1.png":::
+In each of the examples, replace `jobId` with the ID for your application.
 
-There might be an issue that caused the provisioning service to stop running. Use the following alert to detect when there are no provisioning events during a given time interval.
+To create an alert when there's a spike in failures:
 
-:::image type="content" source="media/application-provisioning-log-analytics/alert2.png" alt-text="Screenshot of a provisioning log error message." lightbox="media/application-provisioning-log-analytics/alert2.png":::
+```kusto
+AADProvisioningLogs
+| where JobId == "FacebookAtWorkOutDelta.536279f615cc45f2be2d61e352b51eef.7a962c2b-318d-45a7-8cc0-486173dccfd7"
+| where ResultType == "Failure"
+```
 
-Alert when there's a spike in disables or deletes.
+There might be an issue that caused the provisioning service to stop running. Use the following query to detect when there are no provisioning events during a given time interval.
 
-:::image type="content" source="media/application-provisioning-log-analytics/alert3.png" alt-text="Screenshot of an alert when there's a spike in disables or deletes." lightbox="media/application-provisioning-log-analytics/alert3.png":::
+```kusto
+AADProvisioningLogs
+| take 1
+```
+
+To create an alert when there's a spike in disables or deletes:
 
+```kusto
+AADProvisioningLogs
+| where Action in ("Disable", "Delete")
+```
 
 ## Community contributions
 
 We're taking an open source and community-based approach to application provisioning queries and dashboards. Build a query, alert, or workbook that you think is useful to others, then publish it to the [AzureMonitorCommunity GitHub repo](https://github.com/microsoft/AzureMonitorCommunity). Shoot us an email with a link. We review and publish queries and dashboards to the service so others benefit too. Contact us at provisioningfeedback@microsoft.com.
 
 ## Next steps
 
-- [Log analytics](~/identity/monitoring-health/howto-analyze-activity-logs-log-analytics.md)
+- [Integrate Microsoft Entra logs with Azure Monitor logs](~/identity/monitoring-health/howto-integrate-logs-with-azure-monitor-logs.md)
 - [Get started with queries in Azure Monitor logs](/azure/azure-monitor/logs/get-started-queries)
 - [Create and manage alert groups in the Azure portal](/azure/azure-monitor/alerts/action-groups)
-- [Install and use the log analytics views for Microsoft Entra ID](/azure/azure-monitor/visualize/workbooks-view-designer-conversion-overview)
 - [Provisioning logs API](/graph/api/resources/provisioningobjectsummary?preserve-view=true&view=graph-rest-beta)

docs/identity/app-provisioning/breadcrumb/toc.yml

@@ -9,4 +9,4 @@ items:
     items:
     - name: Application provisioning
       tocHref: /entra/identity/monitoring-health/
-      topicHref: /entra/identity/app-provisioning/
+      topicHref: /entra/identity/app-provisioning/

docs/identity/enterprise-apps/tutorial-govern-monitor.md

@@ -1,13 +1,13 @@
 ---
 title: "Tutorial: Govern and monitor applications"
-description: In this tutorial, you learn how to govern and monitor an application in Microsoft Entra ID.
+description: Learn how to govern and monitor an application in Microsoft Entra ID, including access reviews and integrating logs with Azure Monitor.
 author: omondiatieno
 manager: CelesteDG
 ms.author: jomondi
 ms.service: entra-id
 ms.subservice: enterprise-apps
 ms.topic: tutorial
-ms.date: 09/07/2023
+ms.date: 12/04/2024
 ms.reviewer: saibandaru
 ms.custom: enterprise-apps
 
@@ -22,8 +22,8 @@ Using the information in this tutorial, an administrator of the application lear
 
 > [!div class="checklist"]
 > * Create an access review
-> * Access the audit logs report
-> * Access the sign-ins report
+> * Access the audit logs
+> * Access the sign-ins
 > * Send logs to Azure Monitor
 
 ## Prerequisites
@@ -80,13 +80,13 @@ You can track the progress of access reviews as they are completed.
 
 The **Results** page provides information on each user under review in the instance, including the ability to Stop, Reset, and Download results. To learn more, check out the [Complete an access review of groups and applications in Microsoft Entra access reviews](~/id-governance/complete-access-review.md) article. 
 
-## Access the audit logs report
+## Access the audit logs
 
-The audit logs report combines several reports around application activities into a single view for context-based reporting. For more information, see [Audit logs in Microsoft Entra ID](~/identity/monitoring-health/concept-audit-logs.md).
+The Microsoft Entra audit logs captures a wide variety of activities within your tenant. These logs provide valuable insights into the activities you need to monitor. For more information, see [Audit logs in Microsoft Entra ID](~/identity/monitoring-health/concept-audit-logs.md).
 
-To access the audit logs report, go to **Identity** > **Monitoring & health** > **Audit logs**.
+To access the audit logs, go to **Identity** > **Monitoring & health** > **Audit logs**.
 
-The audit logs report consolidates the following reports:
+The audit logs capture activities that fall under the following categories, but is not limited to:
 
 - Password reset activity
 - Password reset registration activity
@@ -96,24 +96,27 @@ The audit logs report consolidates the following reports:
 - Password rollover status
 - Account provisioning errors
 
-## Access the sign-ins report
+## Access the sign-in logs
 
-The Sign-ins view includes all user sign-ins, and the Application Usage report. You also can view application usage information in the Manage section of the Enterprise applications overview. For more information, see [Sign-in logs in Microsoft Entra ID](~/identity/monitoring-health/concept-sign-ins.md)
+The Microsoft Entra sign-in logs capture interactive, non-interactive, managed identity, and service principal sign-ins. For more information, see [Sign-in logs in Microsoft Entra ID](~/identity/monitoring-health/concept-sign-ins.md).
 
-To access the sign-in logs report, go to **Identity** > **Monitoring & health** > **Sign-in logs**.
+To access the sign-in logs, go to **Identity** > **Monitoring & health** > **Sign-in logs**.
+
+You also can view application sign-in information from the Enterprise applications area. The sign-in logs open the same logs from **Monitoring & health** > **Sign-in logs**, but the filter is already set to the selected application. The **Usage & insights** report also summarizes sign-in activity for the application.
 
 ## Send logs to Azure Monitor
 
-The Microsoft Entra activity logs only store information for a maximum of 30 days. Depending on your needs, you may require extra storage to back up the activity logs data. Using the Azure Monitor, you can archive the audit and sign logs to an Azure storage account to retain the data for a longer time. 
-The Azure Monitor is also useful for rich visualization, monitoring and alerting of data. To learn more about the Azure Monitor and the cost considerations for extra storage, see [Microsoft Entra activity logs in Azure Monitor](~/identity/monitoring-health/concept-log-monitoring-integration-options-considerations.md).
+The Microsoft Entra activity logs only store information for seven days for Microsoft Entra ID Free and 30 days for Microsoft Entra ID P1/P2. Depending on your needs, you may require extra storage to back up the activity logs data.
+
+Using Azure Monitor logs, you can retain the data for longer and enable powerful analysis tools, such as visualization and alerts. For more information about integrating logs with Azure Monitor logs, see [Integrate Microsoft Entra logs with Azure Monitor](~/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs.md).
+
+To send logs to Azure Monitor, you need a Log Analytics workspace. Once that's created, you configure diagnostic settings to integrate with Log Analytics. There are cost considerations associated with integrating logs with Azure Monitor and Log Analytics, so review this section of [Microsoft Entra activity logs in Azure Monitor](~/identity/monitoring-health/concept-log-monitoring-integration-options-considerations.md#cost-considerations) before proceeding.
 
-To send logs to your logs analytics workspace:
+With a Log Analytics workspace configured:
 
 1. Select **Diagnostic settings**, and then select **Add diagnostic setting**. You can also select Export Settings from the Audit Logs or Sign-ins page to get to the diagnostic settings configuration page.
-1. In the Diagnostic settings menu, select **Send to Log Analytics workspace**, and then select Configure.
-1. Select the Log Analytics workspace you want to send the logs to, or create a new workspace in the provided dialog box.
-1. Select the logs that you would like to send to the workspace.
-1. Select **Save** to save the setting.
+1. Choose the logs you want to stream, select the **Send to Log Analytics workspace** option, and complete the fields.
+1. Select **Save**.
 
 After about 15 minutes, verify that events are streamed to your Log Analytics workspace.
 

docs/identity/monitoring-health/breadcrumb/TOC.yml

@@ -8,4 +8,10 @@
     items:
     - name: Monitoring and health
       tocHref: /graph/
+      topicHref: /entra/identity/monitoring-health/
+    - name: Monitoring and health
+      tocHref: /entra/identity/conditional-access/
+      topicHref: /entra/identity/monitoring-health/
+    - name: Monitoring and health
+      tocHref: /entra/identity/app-provisioning/
       topicHref: /entra/identity/monitoring-health/

docs/identity/monitoring-health/howto-analyze-activity-logs-log-analytics.md

@@ -117,6 +117,24 @@ AuditLogs
 | sort by auditCount desc 
 ```
 
+To summarize the count of provisioning events per day, by action:
+```kusto
+AADProvisioningLogs
+| where TimeGenerated > ago(7d)
+| summarize count() by Action, bin(TimeGenerated, 1d)
+```
+
+Take 100 provisioning events and project key properties:
+```kusto
+AADProvisioningLogs
+| extend SourceIdentity = parse_json(SourceIdentity)
+| extend TargetIdentity = parse_json(TargetIdentity)
+| extend ServicePrincipal = parse_json(ServicePrincipal)
+| where tostring(SourceIdentity.identityType) == "Group"
+| project tostring(ServicePrincipal.Id), tostring(ServicePrincipal.Name), ModifiedProperties, JobId, Id, CycleId, ChangeId, Action, SourceIdentity.identityType, SourceIdentity.details, TargetIdentity.identityType, TargetIdentity.details, ProvisioningSteps
+| take 100
+```
+
 ## Related content
 
 * [Get started with queries in Azure Monitor logs](/azure/azure-monitor/logs/get-started-queries)

docs/identity/monitoring-health/toc.yml

@@ -139,6 +139,8 @@ items:
       href: workbook-cross-tenant-access-activity.md
     - name: Multifactor authentication gaps 
       href: workbook-mfa-gaps.md 
+    - name: Provisioning workbooks
+      href: ..\app-provisioning\application-provisioning-log-analytics.md?toc=/entra/identity/monitoring-health/toc.json&bc=/entra/identity/monitoring-health/breadcrumb/TOC.json
     - name: Risk analysis
       href: workbook-risk-analysis.md
     - name: Sensitive Operations Report