What's locking it out?

This is a post pulling together a few elements/features of Azure to demonstrate how to solve an issue, even if the core use case does not affect you the way the problem is solved can be applied to loads of other situations.

In this case my problem being that my AADDS account is getting locked out (for the unfamiliar AADDS is Microsoft's 'managed' active directory service) - so essentially something is trying to authenticate against AD with wrong password - this is causing the account to be locked out - but where is this coming from?

Normally in traditional AD this is easy to find out - you can just check event logs - however in the managed AADDS you have no direct access to the domain controllers and you can't even use event viewer to connect to the remote managed domain controller machine - that is also not allowed - so how can we find this out?

Well the first step is to enable the AADDS PaaS service to gather the logs and then send it to somewhere we can access.

Like many other PaaS services this is enabled from the diagnostics blade of the service - in the screenshot below you can see that screen for AADDS. In my case I'm actually sending the data to three distinct places - a storage account, a log analytics workspace and an event hub. There are reasons for all of these - but for this particular use case the only one I actually need is the log analytics one.

I then choose to send all the available data sources to this location (the list of available data you can see displayed at the bottom of the screenshot)

Now for those of you not familiar with it log analytics is a log ingestion and querying platform - along the lines of Splunk or the ELK stack. Basically you send a whole load of log info into it - you can then query those logs using a SQL like language called 'Kusto' (or KQL).

So for our use case it enables us to search for lockout records and then display the details of those to identify where it's coming from.

If we browse to our log analytics workspace - we can see that by activating the above diagnostics Azure has created some new 'tables' (I call them tables as I'm not sure what the correct term is and my background is in databases)

Now we have those tables we just need to write a query to find the lockout records - you can see that in the screenshot below

I've also pasted the query text here to make it easy to copy

AADDomainServicesAccountManagement
| where TimeGenerated >= ago(1d)
| where OperationName has "4740"
| parse ResultDescription with * "Account Name:" AccountName "Account Name:" id "Additional Information:" dummy "Caller Computer Name:" device 
| project TimeGenerated, id, device, ResultDescription
| sort by TimeGenerated desc

That query I think is fairly clear (even if you don't know Kusto), it's looking at the data for the last 1 day where a lockout has occurred (id 4740) and then showing the results. The only confusing line is the one starting with parse - that is taking the resultdescription 'column' (which has a lot of formatted text) and pulling out various parts of that - to give us the id and the computer it's coming from. This took me a while to get right and now I come to write this up I find it hard to explain myself now I'm not 'in the moment' of writing it..... Anyway it does some magic to pull out the bits of data we need :-)

So at this point we have an easy query to find the lockouts - but how to make this available to a wider audience? We'll we have a few options:

1) Share the query round with everyone

2) Put the query on a dashboard and share that

3) Save the query as Mquery and publish via powerbi

4) Stick it in a workbook

5) etc etc (sure there are lots of other ways to do this).

What I'm going to do is go with option 4 (the workbook) - I really like this feature and I don't think it's getting the love it deserves :-)

So what I'll do is create a new workbook with a parameter (the id to check) and then display the results of that in the workbook

The end result will look like the screen below (which can be directly linked to) - users can enter an id value at the top - the Kusto query will then run in the background and display the records below

I won't go through step by step building the workbook but just summarize the two main things you need to create:

1) The parameter the user will pass in

So choose the parameter option from the add menu and define it as below - it's very simple

2) Define the query to run

Next we add a 'query', set the data source to logs, resource type to log analytics and the workspace to be the one we were just querying above - then we just need to paste in the query exactly as it appears above but just with one additional line to pick up the parameter the user will enter (note the format in squiggly braces below)

AADDomainServicesAccountManagement
| where TimeGenerated >= ago(1d)
| where OperationName has "4740"
| where ResultDescription contains "{ID}" 
| parse ResultDescription with * "Account Name:" AccountName "Account Name:" id "Additional Information:" dummy "Caller Computer Name:" device 
|project TimeGenerated,id,device,ResultDescription |sort by TimeGenerated desc

And that's it - when the workbook is run user enters a user id that has an issue and the query will run displaying where the lockout is being triggered from. The complexity of how to do all that is hidden and the user just has a simple interface to use.

Enjoy :-)