WithSecure Elements
Identity Security for Entra
ID
Onboarding Guide
Contents
Chapter 1: Introduction........................................................................3
1.1 Deployed infrastructure overview.................................................................................................4
1.2 Prerequisites................................................................................................................................6
Chapter 2: Onboarding configuration..................................................7
2.1 Add cloud account in WithSecure Elements Security Center.......................................................8
2.2 Deploying the Azure infrastructure...............................................................................................8
2.2.1 Deploying Azure resources..............................................................................................10
2.3 Post-deployment verifications....................................................................................................10
2.3.1 Event hub validation.........................................................................................................11
2.3.2 Diagnostic settings validation...........................................................................................11
2.4 Connecting Azure to Elements Cloud.........................................................................................12
2.5 Finishing the onboarding session...............................................................................................12
Chapter 3: Ongoing management......................................................14
3.1 When to rerun the script..............................................................................................................15
3.2 When a new tenant is created.....................................................................................................15
3.3 Reaching EventHub capacity.....................................................................................................15
3.4 Regular release of the script.......................................................................................................15
Appendix A: Deleting the deployed resources..................................16
Appendix B: Troubleshooting.............................................................18
B.1 Checking the connection status.................................................................................................19
ii | Contents | WithSecure Elements Identity Security for Entra ID
Chapter
1
Introduction
This document outlines the configuration that is required to provide
access to WithSecure
™
to retrieve Entra ID logs from your Microsoft
Azure Tenant.
Topics:
• Deployed infrastructure overview
• Prerequisites
WithSecure
™
Elements Identity Security for Entra ID is a foundational
module that is designed for organizations that use Entra ID for identity
and access management of Users, Services, and Resources within the
Microsoft Cloud ecosystem.
1.1 Deployed infrastructure overview
The deployment process establishes a resource group within the tenant, encompassing all resources
provisioned by the WithSecure Entra ID configuration script.
The diagram illustrates the effects of the WithSecure Entra ID configuration script that is used during the
onboarding process.
The process creates, configures, and deploys the following infrastructure:
• A resource group is created in the target tenant that contains all the resources deployed by the
WithSecure Entra ID configuration script (Event Hubs, alerts, action group) which are collectively used
for WithSecure
™
log data collection.
• A Standard Tier Event Hub is deployed. The Event Hub is configured to retain telemetry events for 24
hours. The number of resources monitored and their activity impact the load on the Event Hub.
• An email alert from Microsoft to inform you when the Event Hub is not capable of handling the load if
event hub reaches its maximum capacity. In this case, some telemetry data may be lost so an alert is
deployed to bring visibility on the issue.
Note: An increase in the number of TUs triggers the alert.
• Diagnostic settings that forward all Entra ID logs to an Event Hub are produced. These are:
• Audit logs
• Sign in logs
• Non Interactive Users Sign In Logs
• Service Principal Sign In Logs
• Managed Identity Sign In Logs
• Provisioning Logs
• ADFS Sign In Logs
• Risky Users *
• User Risk Events *
• Network Access Traffic Logs
• Risky Service Principals
• Service Principal Risk Events
• Enriched Office365 Audit Logs
• Microsoft Graph Activity Logs
4 | Introduction | WithSecure Elements Identity Security for Entra ID
* If your organization has a P1/P2 license (which is included in Microsoft 365 E3/E5 plans), the solution
collects the risk reports that are generated by Microsoft and combines them with our complementary
detection logic. The solution also provides detections for disabling Conditional Access, which is a feature
that is exclusive to Azure Active Directory Premium P1 or P2 licenses, which are part of the E3 and E5
plans, respectively.
The following table describes the use of the key log sources that are collected as part of the Entra ID module.
DescriptionLog Categories
Required to monitor changes to applications, users,
and tenant configuration changes. For example,
changes in permissions of applications registrations,
and new conditional access policy created/modified.
Audit logs
Contains authentication and authorization events
for the tenant. For example, sign-in events and
metadata associated with a user log in.
Sign in logs
Contains information relating the system activities
where there is no human interaction. Service
accounts can be targeted by attackers.
Non Interactive Users Sign In Logs
Contains information relating the service principals
activities where attackers can abuse Microsoft
principals to achieve their goals.
Service Principal Sign In Logs
Contains information relating to the interactions of
applications, services or systems using managed
identities. Monitoring managed identities can detect
authorized access made by attackers.
Managed Identity Sign In Logs
Provides information about "risky users” and
associated events deemed risky by M365 Defender.
For example, suspicious logons, and malformed or
suspicious token provided.
Risky Users
User Risk Events
Provides information about "risky service principals”
and associated events deemed risky by M365
Defender.
Risky ServicePrincipals
Service Principal Risk Events
Once the configuration has been completed, the data can be collected and analyzed by WithSecure
™
to
provide detection coverage.
For multiple tenants, follow the steps outlined in this guide for each tenant. Use a unique customerID to
create an Event Hub in each tenant. WithSecure requires a connection string for each tenant’s event hub.
For example, you have to provide 3 unique connection strings for 3 tenants.
Note: This document refers to Azure documentation in many places to avoid duplicating content.
Associated Microsoft Costs
The event hub configuration that is deployed uses Standard Tier Event Hubs. The montly cost is based on
the number of Throughput Units (TU). The number of TUs depends on the load. To manage incoming data
efficiently, the Event Hub uses the Auto-Inflate feature, which is set to automatically increase the capacity
as needed, up to a maximum of 40 Throughput Units (TUs). Initially, the Event Hub is deployed with the
minimum capacity of 1 TU, which is sufficient for transferring up to 1 MB of data or 1,000 events into the
system every second. If the amount of data increases, the system automatically adds more TUs to handle
the extra load, without exceeding the upper limit of 40 TUs.
Note: The number of TUs does not decrease automatically if the load decreases.
WithSecure Elements Identity Security for Entra ID | Introduction | 5
Standard Tier Event Hubs cost approximately €22 per month per Throughput Unit (TU). The costs that are
associated with Event Hubs are described in the Microsoft Azure Event Hubs pricing web page.
The cost per event received through the Event Hub is €0.026 per million events. Based on our historical
data, the monthly event volume ranges from 6 million to 300 million events. To illustrate, WithSecure’s
monthly expenditure for its Event Hub infrastructure is approximately $15.
1.2 Prerequisites
The following prerequisites must be met before configuration starts.
• You must be able to sign in as a Global Administrator on the Azure account to run the script in Azure
Cloud Shell.
• You must have your tenant ID, subscription ID, and deployment location known and ready before you
start the deployment. For instructions, see Get subscription and tenant IDs in the Azure portal.
• The tenant must have at least one Azure Management Group. To set up an Azure Management Group,
see Create a management group.
Chapter
2
Onboarding configuration
This chapter describes the steps to be completed to commence the
collection of Azure log data by WithSecure
™
.
Topics:
• Add cloud account in WithSecure
Elements Security Center
• Deploying the Azure infrastructure
• Post-deployment verifications
• Connecting Azure to Elements
Cloud
• Finishing the onboarding session
2.1 Add cloud account in WithSecure Elements Security Center
Follow these instructions to add a new Azure tenant to WithSecure Elements Security Center.
1. In WithSecure Elements Security Center, go to Environment > Cloud.
2. Select Add Azure tenant.
3. Enter the following information in the Tenant information page.
• Display name: Enter the name of the new Azure tenant as it will appear in WithSecure Elements
Security Center.
• Tenant ID: Paste the tenant ID from the Azure portal.
• Organization: Choose the WithSecure Elements Security Center organization for the tenant.
4. Under Security capabilities, select Identity Security.
5. Select Add.
6. Enter the following information in the Connection details page.
• Deployment Subscription ID: Paste the subscription ID from the Azure portal that the new resources
will be created within. We recommend that if you do not use subscriptions already, you create a new
subscription. For instructions, see Create an EA subscription to create an Enterprise Agreement
subscription.
• Deployment location: Select the region where the new resources will be created. We recommend
that you choose a location that you already use.
• Email address for notification: Enter the address where Microsoft sends notifications if the Event
Hub reaches its capacity.
Note: After typing the email address, save it by pressing Enter.
7. Download the onboarding zip file.
Continue to the next section to configure the infrastructure in Azure.
2.2 Deploying the Azure infrastructure
Follow these instructions to prepare the environment.
1. In the Azure Portal, temporarily elevate your access to manage the tenant.
Use the instructions provided on the following page to temporarily elevate access to manage all
subscriptions: Elevate access to manage all Azure subscriptions and management groups | Microsoft
Learn.
Note: Sign out and sign back in to refresh your access.
2. Switch the Access Management for Azure resources option to Yes.
8 | Onboarding configuration | WithSecure Elements Identity Security for Entra ID
Note: This may create a Microsoft Defender for Cloud alert.
3. Open Azure Cloud Shell with PowerShell.
Note: Azure Cloud Shell needs a storage account instance to store local files. You must create an
instance, which is typical if Azure Cloud Shell has not been used previously on the tenant. The following
link explains how to create a storage account instance for cloud shell:
https://learn.microsoft.com/en-us/azure/cloud-shell/quickstart?tabs=azurecli#start-cloud-shell
If Microsoft asks you to register your subscription with the Azure Cloud Shell resource provider, use the
instructions in the following link:
https://learn.microsoft.com/en-us/azure/cloud-shell/quickstart?tabs=azurecli#registering-your-subscription-with-azure-cloud-shell
4. Upload the onboarding zip file that you downloaded earlier to Azure Cloud Shell, using the upload feature
at the top of the shell screen. It will be uploaded to the current working directory.
5. Uncompress the package using command unzip on the package.
unzip './Withsecure Entra ID Configuration Script.zip'
This uncompresses all files into a new withsecure folder.
6. Change the directory to the folder with uncompressed files.
cd withsecure
WithSecure Elements Identity Security for Entra ID | Onboarding configuration | 9
7. Run the following command in Azure Cloud Shell to assign Owner to the principal that needs to deploy
the WithSecure Entra ID configuration script, update the userId with your Azure Active Directory User
principal name:
New-AzRoleAssignment -SignInName "[userId]" -Scope "/" -RoleDefinitionName
"Owner"
a) Sign in to the Azure portal.
b) Go to Azure Active Directory.
c) Select Users.
The list of users in the Azure AD tenant opens.
d) Type the name or email address in the search box to search for the user.
e) Select the user to open their profile.
The User principal name is listed under the profile.
2.2.1 Deploying Azure resources
The WithSecure Entra ID configuration script will deploy the resources required to forward relevant Entra
ID logs into an EventHub so WithSecure
™
can collect the data to perform detection capability.
1. Run the following command to set up the configuration:
./config.ps1
2. Deploy the resources by running the following command:
./deploy.ps1
2.3 Post-deployment verifications
This section describes available post-deployment verification methods.
10 | Onboarding configuration | WithSecure Elements Identity Security for Entra ID
2.3.1 Event hub validation
Follow these instructions to validate Event Hubs.
To validate Event Hubs:
1. Check the Resource Group called WSecCD to validate that the Event Hub has been created.
There should be an Event Hub present.
2. Check there is an alert, and the correct emails are present in the action so that you can see when the
event hub capacity is reached.
2.3.2 Diagnostic settings validation
Follow these instructions to validate diagnostics settings.
To validate diagnostic settings:
1. Check the Diagnostic settings in Entra ID. There should be a diagnostic setting named WSecCD.
WithSecure Elements Identity Security for Entra ID | Onboarding configuration | 11
2. Click Edit setting to open the Diagnostic settings view.
2.4 Connecting Azure to Elements Cloud
Connect Azure tenants to Elements Cloud in WithSecure Elements Security Center.
Follow these instructions after the deployment is complete:
1. In WithSecure Elements Security Center, go to Environment > Cloud > Detection and Response.
2. Select the Azure Tenant from the list.
3. On Connection details, select Add connection string.
4. Copy and paste the whole connection string, including Endpoint=sb://, from the Azure CLI and
select Add.
Note: This process can take up to 5 minutes.
When the connection is working, the status changes to The tenant is protected, with a green tick mark.
If you have multiple tenants, return to the Cloud environment view and go to the Detection and Response
tab to configure another tenant.
Note: If the deployment fails, create a ticket for WithSecure Customer Care.
Important: Download a new deployment script from WithSecure Elements Security Center in the following
cases:
• If you create a new tenant.
• If WithSecure makes any changes to cloud platform or to the script to align to the security best practice.
2.5 Finishing the onboarding session
Finalize the onboarding process by adjusting role assignments and subscription access.
Once the deployment has been validated and the connection string has been added to WithSecure Elements
Security Center, follow these instructions to adjust roles and access rights:
12 | Onboarding configuration | WithSecure Elements Identity Security for Entra ID
1. Run the following command in the Cloud Shell to revoke the elevated access that was necesary for
deploying the WithSecure Entra ID configuration script:
Remove-AzRoleAssignment -SignInName "[userId]" -Scope "/" -RoleDefinitionName
"Owner"
Use your User principal name as the userId.
2. Follow the Microsoft instructions to disable the Elevate Access to all subscriptions option:
https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
WithSecure Elements Identity Security for Entra ID | Onboarding configuration | 13
Chapter
3
Ongoing management
This chapter describes the maintenance activities that must be managed
to maintain connectivity and service level.
Topics:
• When to rerun the script
• When a new tenant is created
• Reaching EventHub capacity
• Regular release of the script
14 | Ongoing management | WithSecure Elements Identity Security for Entra ID
3.1 When to rerun the script
The diagnostic settings and policies implemented during the onboarding process will account for some
changes to the cloud environment.
After the initial onboarding process, diagnostic settings and policies are designed to automatically detect
and handle some changes in the cloud environment. However, if there are significant changes or updates
that are not covered by these settings and policies, you have to rerun the script.
3.2 When a new tenant is created
When a new tenant is created, follow the steps in Onboarding configuration in this guide. To execute the
script, you need, however, to run the following command:
deploy.ps1 -update
3.3 Reaching EventHub capacity
During the onboarding process, the script creates an alert for when the event hub receives more events
than it can process.
To verify this, do the following:
1. Go to the Event Hub overview page by entering Event Hubs in the search bar in the Azure portal.
2. Click the name of the Event Hub.
3. On the overview page, look for "Throughput Units". If the number of "Throughput Units" is 40, or if you
do not receive an email mentioning that the alert is resolved shortly, contact the WithSecure
™
Customer
Care.
3.4 Regular release of the script
The script used to configure event hubs, diagnostic settings, and policies may require changes and
improvements over time.
The changes could be required due to extensions in detection coverage, alignment to latest cloud best
practice, or underlying cloud platform changes.
You can see the Onboarding files status in WithSecure Elements Security Center when the latest version
of the files has not been deployed by viewing the connection details. To redeploy, download the latest
version of the script and use the command deploy.ps1 -update.
WithSecure Elements Identity Security for Entra ID | Ongoing management | 15
Appendix
A
Deleting the deployed resources
Follow these instructions to remove the deployed resources.
This should be done in any of the following cases:
• There were some issues in the deployment process and the
deployment should be started over, or
• you want to opt out of the service and remove the monitoring
resources.
To delete the resources, execute the following command from inside
the withsecure directory: ./cleanup.ps1
Note: Currently, you cannot remove deleted resources from
WithSecure Elements Security Center. To indicate that resources have
been disconnected, change the display name of each connection to
DELETED_name.
16 | Deleting the deployed resources | WithSecure Elements Identity Security for Entra ID
WithSecure Elements Identity Security for Entra ID | Deleting the deployed resources | 17
Appendix
B
Troubleshooting
Here you can find information that can help you solve your technical
issues.
Topics:
• Checking the connection status
• If Cloud shell terminal has been closed before the deployment
completes: Follow the steps in Deploying resources.
• If running the deploy.ps1script fails with an error regarding an
ongoing deployment, wait 15 minutes before retrying.
• If deployment fails with an error indicating that the subscription is
not registered to use namespace Microsoft.PolicyInsights, do the
following:
1. Go to this subscription page and click on Resource Providers.
2. Click the Provider Microsoft.PolicyInsights and then Register
or Re-register.
3. Once the registration completed, restart the process by running
the ./deploy.ps1 script.
18 | Troubleshooting | WithSecure Elements Identity Security for Entra ID
B.1 Checking the connection status
You can view the connection status in WithSecure Elements Security Center
1. In WithSecure Elements Security Center, go to Environment > Cloud.
2. Review the Identity Security status for each tenant that is displayed in the list.
WithSecure Elements Identity Security for Entra ID | Troubleshooting | 19
