From the Microsoft Sentinel tech community:
Microsoft’s identity solutions span on-premises and cloud-based capabilities. These solutions create a common user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity and one of the authentication methods available is federation with Active Directory Services (AD FS).
Active Directory Federation Service (AD FS) enables Federated Identity and Access Management by securely sharing digital identity and entitlements rights across security and enterprise boundaries. AD FS extends the ability to use single sign-on functionality that is available within a single security or enterprise boundary to Internet-facing applications to enable customers, partners, and suppliers a streamlined user experience while accessing the web-based applications of an organization.
In this post, I will show you how to enable AD FS security auditing (based on Microsoft documentation) and how to collect and ship AD FS event logs to a Microsoft Sentinel instance.
Read this very detailed, step-by-step article here:
- Enabling AD FS Security Auditing and Shipping Event Logs to Microsoft Sentinel
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/enabling-ad-fs-security-auditing-and-shipping-event-logs-to/ba-p/3610464
kurtsh
Kurt Shintaku's Blog 