<!DOCTYPE html><html class="hasSidebar hasPageActions hasBreadcrumb conceptual has-default-focus theme-light" lang="en-us" dir="ltr" data-authenticated="false" data-auth-status-determined="false" data-target="docs" x-ms-format-detection="none"> <head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta property="og:title" content="Microsoft Entra security operations guide - Microsoft Entra" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://learn.microsoft.com/en-us/entra/architecture/security-operations-introduction" /><meta property="og:description" content="Learn to monitor, identify, and alert on security issues with accounts, applications, devices, and infrastructure in Microsoft Entra ID." /><meta property="og:image" content="https://learn.microsoft.com/en-us/media/open-graph-image.png" /> <meta property="og:image:alt" content="Microsoft Learn" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:site" content="@MicrosoftLearn" /> <meta name="color-scheme" content="light dark"><meta name="author" content="janicericketts" /> <meta name="breadcrumb_path" content="/entra/breadcrumb/toc.json" /> <meta name="depot_name" content="MSDN.entra-docs" /> <meta name="description" content="Learn to monitor, identify, and alert on security issues with accounts, applications, devices, and infrastructure in Microsoft Entra ID." /> <meta name="document_id" content="dd5215da-c68b-eebf-6d81-ef109caa7f51" /> <meta name="document_version_independent_id" content="8805daae-486b-7ea4-f4b4-ce9b0e04e51a" /> <meta name="feedback_help_link_type" content="" /> <meta name="feedback_help_link_url" content="" /> <meta name="feedback_product_url" content="https://feedback.azure.com/d365community/forum/79b1327d-d925-ec11-b6e6-000d3a4f06a4" /> <meta name="feedback_system" content="Standard" /> <meta name="git_commit_id" content="b2c5ce003f893537e7c71af0b388d9ce41109658" /> <meta name="gitcommit" content="https://github.com/MicrosoftDocs/entra-docs-pr/blob/b2c5ce003f893537e7c71af0b388d9ce41109658/docs/architecture/security-operations-introduction.md" /> <meta name="locale" content="en-us" /> <meta name="manager" content="martinco" /> <meta name="ms.author" content="jricketts" /> <meta name="ms.custom" content="it-pro" /> <meta name="ms.custom" content="kr2b-contr-experiment" /> <meta name="ms.date" content="09/06/2022" /> <meta name="ms.service" content="entra" /> <meta name="ms.subservice" content="architecture" /> <meta name="ms.topic" content="overview" /> <meta name="original_content_git_url" content="https://github.com/MicrosoftDocs/entra-docs-pr/blob/live/docs/architecture/security-operations-introduction.md" /> <meta name="page_type" content="conceptual" /> <meta name="schema" content="Conceptual" /> <meta name="site_name" content="Docs" /> <meta name="toc_rel" content="toc.json" /> <meta name="uhfHeaderId" content="MSDocsHeader-Entra" /> <meta name="updated_at" content="2024-09-20 10:00 PM" /> <meta name="word_count" content="2496" /> <meta name="persistent_id" content="6fcaf9ab-28c4-d0f1-9566-a908af56bd92" /> <meta name="cmProducts" content="https://microsoft-devrel.poolparty.biz/DevRelOfferingOntology/57eae307-c3a1-4cac-b645-1a899934bac8" data-source="generated" /> <meta name="cmProducts" content="https://authoring-docs-microsoft.poolparty.biz/devrel/07bb3e10-d135-43ff-bc8b-360497cb39fa" data-source="generated" /> <meta name="cmProducts" content="https://microsoft-devrel.poolparty.biz/DevRelOfferingOntology/1433a524-c01f-4b87-beab-670c040dea4f" data-source="generated" /> <meta name="spProducts" content="https://microsoft-devrel.poolparty.biz/DevRelOfferingOntology/ee561821-1ac7-45a8-9409-6ba5eb7a5b97" data-source="generated" /> <meta name="spProducts" content="https://authoring-docs-microsoft.poolparty.biz/devrel/12e559b9-eaf6-4aee-9af7-62334e15f863" data-source="generated" /> <meta name="spProducts" content="https://microsoft-devrel.poolparty.biz/DevRelOfferingOntology/312f1f05-a431-4193-8a4d-e6245d5966de" data-source="generated" /> <meta name="scope" content="Microsoft Entra" /><meta name="github_feedback_content_git_url" content="https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/architecture/security-operations-introduction.md" /><link href="https://learn.microsoft.com/en-us/entra/architecture/security-operations-introduction" rel="canonical"><title>Microsoft Entra security operations guide - Microsoft Entra | Microsoft Learn</title><link rel="stylesheet" href="/static/assets/0.4.028726178/styles/site-ltr.css"> <script id="msdocs-script"> var msDocs = {environment: { supportLevel: 'production', accessLevel: 'online', reviewFeatures: false, systemContent: true, azurePortalHostname: 'portal.azure.com', legacyHosting: false, siteName: 'learn', },data: { timeOrigin: Date.now(), contentLocale: 'en-us', contentDir: 'ltr', userLocale: 'en-us', userDir: 'ltr', pageTemplate: 'Conceptual', brand: 'entra', context: {}, hasBinaryRating: true, feedbackHelpLinkType:'', feedbackHelpLinkUrl:'', standardFeedback: true, showFeedbackReport: false, enableTutorialFeedback: false, feedbackSystem: 'Standard', feedbackGitHubRepo: 'MicrosoftDocs/entra-docs', feedbackProductUrl: 'https://feedback.azure.com/d365community/forum/79b1327d-d925-ec11-b6e6-000d3a4f06a4',extendBreadcrumb: false,isEditDisplayable: true, hideViewSource: false, hasPageActions: true, hasPrintButton: true, hasBookmark: true, hasShare: true, isPermissioned: false, isPrivateUnauthorized: false,hasRecommendations: true,contributors: [{ name: "janicericketts", url: "https://github.com/janicericketts" },{ name: "MicrosoftGuyJFlo", url: "https://github.com/MicrosoftGuyJFlo" },{ name: "alexbuckgit", url: "https://github.com/alexbuckgit" },{ name: "shlipsey3", url: "https://github.com/shlipsey3" },{ name: "BryanLa", url: "https://github.com/BryanLa" }],}, functions:{} }; </script><script src="https://wcpstatic.microsoft.com/mscc/lib/v2/wcp-consent.js"></script> <script src="https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js"></script><script src="/static/assets/0.4.028726178/global/deprecation.js"></script><script src="/static/assets/0.4.028726178/scripts/en-us/index-docs.js"></script></head> <body lang="en-us" dir="ltr"> <div class="header-holder has-default-focus"> <a href="#main" style="z-index: 1070" class="outline-color-text visually-hidden-until-focused position-fixed inner-focus focus-visible top-0 left-0 right-0 padding-xs text-align-center has-body-background" tabindex="1">Skip to main content</a><div hidden id="cookie-consent-holder" data-test-id="cookie-consent-container"></div> <div id="unsupported-browser" style=" background-color: white; color: black; padding: 16px; border-bottom: 1px solid grey;" hidden > <div style="max-width: 800px; margin: 0 auto;"> <p style="font-size: 24px">This browser is no longer supported.</p> <p style="font-size: 16px; margin-top: 16px;">Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.</p> <div style="margin-top: 12px;"> <a href="https://go.microsoft.com/fwlink/p/?LinkID=2092881 " style=" background-color: #0078d4; border: 1px solid #0078d4; color: white; padding: 6px 12px; border-radius: 2px; display: inline-block; ">Download Microsoft Edge</a> <a href="https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge" style=" background-color: white; padding: 6px 12px; border: 1px solid #505050; color: #171717; border-radius: 2px; display: inline-block; ">More info about Internet Explorer and Microsoft Edge</a> </div> </div> </div> <!-- liquid-tag banners global --> <!-- site header --> <header id="ms--site-header" data-test-id="site-header-wrapper" role="banner" itemscope="itemscope" itemtype="http://schema.org/Organization"> <div id="ms--mobile-nav" class="site-header display-none-tablet padding-inline-none gap-none" data-bi-name="mobile-header" data-test-id="mobile-header"></div> <div id="ms--primary-nav" class="site-header display-none display-flex-tablet" data-bi-name="L1-header" data-test-id="primary-header"></div> <div id="ms--secondary-nav" class="site-header display-none display-flex-tablet" data-bi-name="L2-header" data-test-id="secondary-header"></div> </header><div id="content-header" class="content-header uhf-container has-padding has-default-focus border-bottom-none" data-bi-name="content-header"> <div class="content-header-controls margin-xxs margin-inline-sm-tablet"> <button type="button" class="contents-button button button-sm margin-right-xxs" data-bi-name="contents-expand" aria-haspopup="true" data-contents-button> <span class="icon"><span class="docon docon-menu" aria-hidden="true"></span></span> <span class="contents-expand-title">Table of contents</span> </button> <button type="button" class="ap-collapse-behavior ap-expanded button button-sm" data-bi-name="ap-collapse" aria-controls="action-panel"> <span class="icon"><span class="docon docon-exit-mode" aria-hidden="true"></span></span> <span>Exit focus mode</span> </button> </div> </div><div id="disclaimer-holder" class="has-overflow-hidden has-default-focus"> <!-- liquid-tag banners sectional --> </div> </div> <div class="mainContainer uhf-container has-default-focus" data-bi-name="body"> <div class="columns has-large-gaps is-gapless-mobile "><div id="left-container" class="left-container is-hidden-mobile column is-one-third-tablet is-one-quarter-desktop"> <nav id="affixed-left-container" class="margin-top-sm-tablet position-sticky display-flex flex-direction-column" aria-label="Primary"></nav> </div><!-- .primary-holder --> <section class="primary-holder column is-two-thirds-tablet is-three-quarters-desktop"> <!--div.columns --> <div class="columns is-gapless-mobile has-large-gaps "><div id="main-column" class="column is-full is-8-desktop"> <main id="main" class="" role="main" data-bi-name="content" lang="en-us" dir="ltr"><!-- article-header --> <div id="article-header" class="background-color-body margin-top-sm-tablet margin-bottom-xs display-none-print"> <div class="display-flex align-items-center "><details id="article-header-breadcrumbs-overflow-popover" class="popover" data-for="article-header-breadcrumbs"> <summary class="button button-clear button-primary button-sm inner-focus" aria-label="All breadcrumbs"> <span class="icon"> <span class="docon docon-more"></span> </span> </summary> <div id="article-header-breadcrumbs-overflow" class="popover-content padding-none"> </div> </details> <bread-crumbs id="article-header-breadcrumbs" data-test-id="article-header-breadcrumbs" class="overflow-hidden flex-grow-1 margin-right-sm margin-right-md-tablet margin-right-lg-desktop margin-left-negative-xxs padding-left-xxs"></bread-crumbs><div id="article-header-page-actions" class="opacity-none margin-left-auto display-flex flex-wrap-no-wrap align-items-stretch"><a id="lang-link-tablet" class="button button-primary button-clear button-sm display-none display-inline-flex-tablet" title="Read in English" data-bi-name="language-toggle" data-read-in-link hidden> <span class="icon margin-none" aria-hidden="true" data-read-in-link-icon> <span class="docon docon-locale-globe"></span> </span> <span class="is-visually-hidden" data-read-in-link-text>Read in English</span> </a><button type="button" class="collection button button-clear button-sm button-primary display-none display-inline-flex-tablet" data-list-type="collection" data-bi-name="collection" title="Add to collection"> <span class="icon margin-none" aria-hidden="true"> <span class="docon docon-circle-addition"></span> </span> <span class="collection-status is-visually-hidden">Save</span> </button><a data-contenteditbtn class="button button-clear button-sm text-decoration-none button-primary display-none display-inline-flex-tablet" aria-label="Edit" title="Edit This Document" data-bi-name="edit" href="https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/architecture/security-operations-introduction.md" data-original_content_git_url="https://github.com/MicrosoftDocs/entra-docs-pr/blob/live/docs/architecture/security-operations-introduction.md" data-original_content_git_url_template="{repo}/blob/{branch}/docs/architecture/security-operations-introduction.md" data-pr_repo="" data-pr_branch=""> <span class="icon margin-none" aria-hidden="true"> <span class="docon docon-edit-outline"></span> </span> </a> <details class="popover popover-right" id="article-header-page-actions-overflow"> <summary class="justify-content-flex-start button button-clear button-sm button-primary" aria-label="More actions" title="More actions"> <span class="icon" aria-hidden="true"> <span class="docon docon-more-vertical"></span> </span> </summary> <div class="popover-content padding-xs"><button data-page-action-item="overflow-mobile" type="button" class="justify-content-flex-start button-block button-sm has-inner-focus button button-clear display-none-tablet" data-bi-name="contents-expand" data-contents-button data-popover-close> <span class="icon"> <span class="docon docon-editor-list-bullet" aria-hidden="true"></span> </span><span class="contents-expand-title">Table of contents</span></button><a id="lang-link-overflow" class="justify-content-flex-start button-sm has-inner-focus button button-clear button-block display-none-tablet" title="Read in English" data-bi-name="language-toggle" data-page-action-item="overflow-mobile" data-check-hidden="true" data-read-in-link hidden > <span class="icon" aria-hidden="true" data-read-in-link-icon> <span class="docon docon-locale-globe"></span> </span> <span data-read-in-link-text>Read in English</span> </a><button type="button" class="collection justify-content-flex-start button button-clear button-sm has-inner-focus button-block display-none-tablet" data-list-type="collection" data-bi-name="collection" title="Save" data-page-action-item="overflow-mobile" data-check-hidden="true" data-popover-close> <span class="icon" aria-hidden="true"> <span class="docon docon-circle-addition"></span> </span> <span class="collection-status">Save</span> </button> <button type="button" class="collection justify-content-flex-start button button-clear button-sm has-inner-focus button-block display-none-tablet" data-list-type="plan" data-bi-name="plan" title="Add to Plan" data-page-action-item="overflow-mobile" data-check-hidden="true" data-popover-close hidden> <span class="icon" aria-hidden="true"> <span class="docon docon-circle-addition"></span> </span> <span class="plan-status">Add to Plan</span> </button><a data-contenteditbtn class="button button-clear button-block button-sm has-inner-focus justify-content-flex-start text-decoration-none display-none-tablet" aria-label="Edit" title="Edit This Document" data-bi-name="edit" href="https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/architecture/security-operations-introduction.md" data-original_content_git_url="https://github.com/MicrosoftDocs/entra-docs-pr/blob/live/docs/architecture/security-operations-introduction.md" data-original_content_git_url_template="{repo}/blob/{branch}/docs/architecture/security-operations-introduction.md" data-pr_repo="" data-pr_branch=""> <span class="icon" aria-hidden="true"> <span class="docon docon-edit-outline"></span> </span> <span>Edit</span> </a><div aria-hidden="true" class="margin-none" data-page-action-item="overflow-all"></div> <hr class="display-none-tablet margin-bottom-xxs margin-top-xxs" /> <h4 class="font-size-sm padding-left-xxs">Share via</h4> <a class="button button-clear button-sm button-block has-inner-focus text-decoration-none justify-content-flex-start share-facebook" data-bi-name="facebook" data-page-action-item="overflow-all"> <span class="icon" aria-hidden="true"> <span class="docon docon-facebook-share font-size-md color-primary"></span> </span> <span class="margin-left-xxs">Facebook</span> </a> <a class="button button-clear button-sm has-inner-focus button-block text-decoration-none justify-content-flex-start share-twitter" data-bi-name="twitter" data-page-action-item="overflow-all"> <span class="icon" aria-hidden="true"> <span class="docon docon-xlogo-share font-size-xxs"></span> </span> <span class="margin-left-xxs">x.com</span> </a> <a class="button button-clear button-sm has-inner-focus button-block text-decoration-none justify-content-flex-start share-linkedin" data-bi-name="linkedin" data-page-action-item="overflow-all"> <span class="icon" aria-hidden="true"> <span class="docon docon-linked-in-logo font-size-sm color-primary"></span> </span> <span class="margin-left-xxs">LinkedIn</span> </a> <a class="button button-clear button-sm button-block has-inner-focus text-decoration-none justify-content-flex-start margin-bottom-xxs share-email" data-bi-name="email" data-page-action-item="overflow-all"> <span class="icon" aria-hidden="true"> <span class="docon docon-mail-message font-size-sm color-primary"></span> </span> <span class="margin-left-xxs">Email</span> </a><hr /> <button class="button button-block button-clear button-sm justify-content-flex-start has-inner-focus margin-top-xxs" title="Print" type="button" aria-label="Print" data-bi-name="print" data-page-action-item="overflow-all" data-popover-close data-print-page data-check-hidden="true"> <span class="icon" aria-hidden="true"> <span class="docon docon-print font-size-sm color-primary"></span> </span> <span class="margin-left-xxs">Print</span> </button> </div> </details> </div></div> </div> <!-- end article-header --><div> <button type="button" class="border contents-button button button-clear button-sm is-hidden-tablet has-inner-focus" data-bi-name="contents-expand" data-contents-button hidden> <span class="icon"> <span class="docon docon-editor-list-bullet" aria-hidden="true"></span> </span><span class="contents-expand-title">Table of contents</span></button> </div><!-- end mobile-contents button --> <div class="content "><h1 id="microsoft-entra-security-operations-guide">Microsoft Entra security operations guide</h1><div class="display-flex justify-content-space-between align-items-center flex-wrap-wrap page-metadata-container"> <div class="margin-right-xxs"> <ul class="metadata page-metadata" data-bi-name="page info" lang="en-us" dir="ltr"><li>Article</li><li class="visibility-hidden-visual-diff"><time class="is-invisible" data-article-date aria-label="Article review date" datetime="2023-10-23T20:21:00Z" data-article-date-source="calculated">10/23/2023</time> </li><li class="contributors-holder display-none-print"> <button aria-label="View all contributors" class="contributors-button link-button" data-bi-name="contributors" title="View all contributors">5 contributors</button> </li></ul> </div> <div id="user-feedback" class="margin-block-xxs display-none-print" data-hide-on-archived> <button id="user-feedback-button" data-test-id="conceptual-feedback-button" class="button button-sm button-clear button-primary" type="button" data-bi-name="user-feedback-button" data-user-feedback-button > <span class="icon" aria-hidden="true"> <span class="docon docon-like"></span> </span> <span>Feedback</span> </button> </div></div><nav id="center-doc-outline" class="doc-outline is-hidden-desktop display-none-print margin-bottom-sm" data-bi-name="intopic toc" aria-label="In this article"> <h2 id="ms--in-this-article" class="title is-6 margin-block-xs">In this article</h2> </nav><!-- <content> --><p>Microsoft has a successful and proven approach to <a href="https://aka.ms/Zero-Trust" data-linktype="external">Zero Trust security</a> using <a href="https://www.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" data-linktype="external">Defense in Depth</a> principles that use identity as a control plane. Organizations continue to embrace a hybrid workload world for scale, cost savings, and security. Microsoft Entra ID plays a pivotal role in your strategy for identity management. Recently, news surrounding identity and security compromise has increasingly prompted enterprise IT to consider their identity security posture as a measurement of defensive security success.</p> <p>Increasingly, organizations must embrace a mixture of on-premises and cloud applications, which users access with both on鈥損remises and cloud-only accounts. Managing users, applications, and devices both on-premises and in the cloud poses challenging scenarios.</p> <h2 id="hybrid-identity">Hybrid identity</h2> <p>Microsoft Entra ID creates a common user identity for authentication and authorization to all resources, regardless of location. We call this <em>hybrid identity</em>.</p> <p>To achieve hybrid identity with Microsoft Entra ID, one of three authentication methods can be used, depending on your scenarios. The three methods are:</p> <ul> <li><a href="../identity/hybrid/connect/whatis-phs" data-linktype="relative-path">Password hash synchronization (PHS)</a></li> <li><a href="../identity/hybrid/connect/how-to-connect-pta" data-linktype="relative-path">Pass-through authentication (PTA)</a></li> <li><a href="../identity/hybrid/connect/whatis-fed" data-linktype="relative-path">Federation (AD FS)</a></li> </ul> <p>As you audit your current security operations or establish security operations for your Azure environment, we recommend you:</p> <ul> <li>Read specific portions of the Microsoft security guidance to establish a baseline of knowledge about securing your cloud-based or hybrid Azure environment.</li> <li>Audit your account and password strategy and authentication methods to help deter the most common attack vectors.</li> <li>Create a strategy for continuous monitoring and alerting on activities that might indicate a security threat.</li> </ul> <h3 id="audience">Audience</h3> <p>The Microsoft Entra SecOps Guide is intended for enterprise IT identity and security operations teams and managed service providers that need to counter threats through better identity security configuration and monitoring profiles. This guide is especially relevant for IT administrators and identity architects advising Security Operations Center (SOC) defensive and penetration testing teams to improve and maintain their identity security posture.</p> <h3 id="scope">Scope</h3> <p>This introduction provides the suggested prereading and password audit and strategy recommendations. This article also provides an overview of the tools available for hybrid Azure environments and fully cloud-based Azure environments. Finally, we provide a list of data sources you can use for monitoring and alerting and configuring your security information and event management (SIEM) strategy and environment. The rest of the guidance presents monitoring and alerting strategies in the following areas:</p> <ul> <li><p><a href="security-operations-user-accounts" data-linktype="relative-path">User accounts</a>. Guidance specific to non-privileged user accounts without administrative privilege, including anomalous account creation and usage, and unusual sign-ins.</p> </li> <li><p><a href="security-operations-privileged-accounts" data-linktype="relative-path">Privileged accounts</a>. Guidance specific to privileged user accounts that have elevated permissions to perform administrative tasks. Tasks include Microsoft Entra role assignments, Azure resource role assignments, and access management for Azure resources and subscriptions.</p> </li> <li><p><a href="security-operations-privileged-identity-management" data-linktype="relative-path">Privileged Identity Management (PIM)</a>. Guidance specific to using PIM to manage, control, and monitor access to resources.</p> </li> <li><p><a href="security-operations-applications" data-linktype="relative-path">Applications</a>. Guidance specific to accounts used to provide authentication for applications.</p> </li> <li><p><a href="security-operations-devices" data-linktype="relative-path">Devices</a>. Guidance specific to monitoring and alerting for devices registered or joined outside of policies, non-compliant usage, managing device administration roles, and sign-ins to virtual machines.</p> </li> <li><p><a href="security-operations-infrastructure" data-linktype="relative-path">Infrastructure</a>. Guidance specific to monitoring and alerting on threats to your hybrid and purely cloud-based environments.</p> </li> </ul> <h2 id="important-reference-content">Important reference content</h2> <p>Microsoft has many products and services that enable you to customize your IT environment to fit your needs. We recommend that you review the following guidance for your operating environment:</p> <ul> <li><p>Windows operating systems</p> <ul> <li><a href="https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1909-and-windows-server/ba-p/1023093" data-linktype="external">Security baseline (FINAL) for Windows 10 v1909 and Windows Server v1909</a></li> <li><a href="https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-security-baseline/ba-p/2810772" data-linktype="external">Security baseline for Windows 11</a></li> <li><a href="https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685" data-linktype="external">Security baseline for Windows Server 2022</a></li> </ul> </li> <li><p>On-premises environments</p> <ul> <li><a href="/en-us/defender-for-identity/architecture" data-linktype="absolute-path">Microsoft Defender for Identity architecture</a></li> <li><a href="/en-us/defender-for-identity/install-step2" data-linktype="absolute-path">Connect Microsoft Defender for Identity to Active Directory quickstart</a></li> <li><a href="/en-us/security/benchmark/azure/baselines/defender-for-identity-security-baseline" data-linktype="absolute-path">Azure security baseline for Microsoft Defender for Identity</a></li> <li><a href="/en-us/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise" data-linktype="absolute-path">Monitoring Active Directory for Signs of Compromise</a></li> </ul> </li> <li><p>Cloud-based Azure environments</p> <ul> <li><a href="../identity/monitoring-health/concept-sign-ins" data-linktype="relative-path">Monitor sign-ins with the Microsoft Entra sign-in log</a></li> <li><a href="../identity/monitoring-health/concept-audit-logs" data-linktype="relative-path">Audit activity reports in the Azure portal</a></li> <li><a href="../id-protection/howto-identity-protection-investigate-risk" data-linktype="relative-path">Investigate risk with Microsoft Entra ID Protection</a></li> <li><a href="/en-us/azure/sentinel/data-connectors/azure-active-directory-identity-protection" data-linktype="absolute-path">Connect Microsoft Entra ID Protection data to Microsoft Sentinel</a></li> </ul> </li> <li><p>Active Directory Domain Services (AD DS)</p> <ul> <li><a href="/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations" data-linktype="absolute-path">Audit Policy Recommendations</a></li> </ul> </li> <li><p>Active Directory Federation Services (AD FS)</p> <ul> <li><a href="/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging" data-linktype="absolute-path">AD FS Troubleshooting - Auditing Events and Logging</a></li> </ul> </li> </ul> <h2 id="data-sources">Data sources</h2> <p>The log files you use for investigation and monitoring are:</p> <ul> <li><a href="../identity/monitoring-health/concept-audit-logs" data-linktype="relative-path">Microsoft Entra audit logs</a></li> <li><a href="../identity/monitoring-health/concept-sign-ins" data-linktype="relative-path">Sign-in logs</a></li> <li><a href="/en-us/microsoft-365/compliance/auditing-solutions-overview" data-linktype="absolute-path">Microsoft 365 Audit logs</a></li> <li><a href="/en-us/azure/key-vault/general/logging?tabs=Vault" data-linktype="absolute-path">Azure Key Vault logs</a></li> </ul> <p>From the Azure portal, you can view the Microsoft Entra audit logs. Download logs as comma separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Microsoft Entra logs with other tools that allow for greater automation of monitoring and alerting:</p> <ul> <li><p><strong><a href="/en-us/azure/sentinel/overview" data-linktype="absolute-path">Microsoft Sentinel</a></strong> - Enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.</p> </li> <li><p><strong><a href="https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure" data-linktype="external">Sigma rules</a></strong> - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where Sigma templates exist for our recommended search criteria, we have added a link to the Sigma repo. The Sigma templates are not written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.</p> </li> <li><p><strong><a href="/en-us/azure/azure-monitor/overview" data-linktype="absolute-path">Azure Monitor</a></strong> - Enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.</p> </li> <li><p><strong><a href="/en-us/azure/event-hubs/event-hubs-about" data-linktype="absolute-path">Azure Event Hubs</a></strong> integrated with a SIEM. Microsoft Entra logs can be integrated to other SIEMs such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hubs integration. For more information, see <a href="../identity/monitoring-health/howto-stream-logs-to-event-hub" data-linktype="relative-path">Stream Microsoft Entra logs to an Azure event hub</a>.</p> </li> <li><p><strong><a href="/en-us/cloud-app-security/what-is-cloud-app-security" data-linktype="absolute-path">Microsoft Defender for Cloud Apps</a></strong> - Enables you to discover and manage apps, govern across apps and resources, and check the compliance of your cloud apps.</p> </li> <li><p><strong><a href="../id-protection/concept-workload-identity-risk" data-linktype="relative-path">Securing workload identities with Microsoft Entra ID Protection</a></strong> - Used to detect risk on workload identities across sign-in behavior and offline indicators of compromise.</p> </li> </ul> <p>Much of what you will monitor and alert on are the effects of your Conditional Access policies. You can use the Conditional Access insights and reporting workbook to examine the effects of one or more Conditional Access policies on your sign-ins and the results of policies, including device state. This workbook enables you to view an impact summary, and identify the impact over a specific time period. You can also use the workbook to investigate the sign-ins of a specific user. For more information, see <a href="../identity/conditional-access/howto-conditional-access-insights-reporting" data-linktype="relative-path">Conditional Access insights and reporting</a>.</p> <p>The remainder of this article describes what to monitor and alert on. Where there are specific pre-built solutions we link to them or provide samples following the table. Otherwise, you can build alerts using the preceding tools.</p> <ul> <li><p><strong><a href="../id-protection/overview-identity-protection" data-linktype="relative-path">ID Protection</a></strong> generates three key reports that you can use to help with your investigation:</p> </li> <li><p><strong>Risky users</strong> contains information about which users are at risk, details about detections, history of all risky sign-ins, and risk history.</p> </li> <li><p><strong>Risky sign-ins</strong> contains information surrounding the circumstance of a sign-in that might indicate suspicious circumstances. For more information on investigating information from this report, see <a href="../id-protection/howto-identity-protection-investigate-risk" data-linktype="relative-path">How To: Investigate risk</a>.</p> </li> <li><p><strong>Risk detections</strong> contains information on risk signals detected by Microsoft Entra ID Protection that informs sign-in and user risk. For more information, see the <a href="security-operations-user-accounts" data-linktype="relative-path">Microsoft Entra security operations guide for user accounts</a>.</p> </li> </ul> <p>For more information, see <a href="../id-protection/overview-identity-protection" data-linktype="relative-path">What is Microsoft Entra ID Protection</a>.</p> <h3 id="data-sources-for-domain-controller-monitoring">Data sources for domain controller monitoring</h3> <p>For the best results, we recommend that you monitor your domain controllers using Microsoft Defender for Identity. This approach enables the best detection and automation capabilities. Follow the guidance from these resources:</p> <ul> <li><a href="/en-us/defender-for-identity/architecture" data-linktype="absolute-path">Microsoft Defender for Identity architecture</a></li> <li><a href="/en-us/defender-for-identity/directory-service-accounts" data-linktype="absolute-path">Connect Microsoft Defender for Identity to Active Directory quickstart</a></li> </ul> <p>If you don't plan to use Microsoft Defender for Identity, monitor your domain controllers by one of these approaches:</p> <ul> <li>Event log messages. See <a href="/en-us/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise" data-linktype="absolute-path">Monitoring Active Directory for Signs of Compromise</a>.</li> <li>PowerShell cmdlets. See <a href="/en-us/windows-server/identity/ad-ds/deploy/troubleshooting-domain-controller-deployment" data-linktype="absolute-path">Troubleshooting Domain Controller Deployment</a>.</li> </ul> <h2 id="components-of-hybrid-authentication">Components of hybrid authentication</h2> <p>As part of an Azure hybrid environment, the following items should be baselined and included in your monitoring and alerting strategy.</p> <ul> <li><p><strong>PTA Agent</strong> - The pass-through authentication agent is used to enable pass-through authentication and is installed on-premises. See <a href="../identity/hybrid/connect/reference-connect-pta-version-history" data-linktype="relative-path">Microsoft Entra pass-through authentication agent: Version release history</a> for information on verifying your agent version and next steps.</p> </li> <li><p><strong>AD FS/WAP</strong> - Active Directory Federation Services (Azure AD FS) and Web Application Proxy (WAP) enable secure sharing of digital identity and entitlement rights across your security and enterprise boundaries. For information on security best practices, see <a href="/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs" data-linktype="absolute-path">Best practices for securing Active Directory Federation Services</a>.</p> </li> <li><p><strong>Microsoft Entra Connect Health Agent</strong> - The agent used to provide a communications link for Microsoft Entra Connect Health. For information on installing the agent, see <a href="../identity/hybrid/connect/how-to-connect-health-agent-install" data-linktype="relative-path">Microsoft Entra Connect Health agent installation</a>.</p> </li> <li><p><strong>Microsoft Entra Connect Sync Engine</strong> - The on-premises component, also called the sync engine. For information on the feature, see <a href="../identity/hybrid/connect/how-to-connect-syncservice-features" data-linktype="relative-path">Microsoft Entra Connect Sync service features</a>.</p> </li> <li><p><strong>Password Protection DC agent</strong> - Azure password protection DC agent is used to help with monitoring and reporting event log messages. For information, see <a href="../identity/authentication/concept-password-ban-bad-on-premises" data-linktype="relative-path">Enforce on-premises Microsoft Entra Password Protection for Active Directory Domain Services</a>.</p> </li> <li><p><strong>Password Filter DLL</strong> - The password filter DLL of the DC Agent receives user password-validation requests from the operating system. The filter forwards them to the DC Agent service that's running locally on the DC. For information on using the DLL, see <a href="../identity/authentication/concept-password-ban-bad-on-premises" data-linktype="relative-path">Enforce on-premises Microsoft Entra Password Protection for Active Directory Domain Services</a>.</p> </li> <li><p><strong>Password writeback Agent</strong> - Password writeback is a feature enabled with <a href="../identity/hybrid/whatis-hybrid-identity" data-linktype="relative-path">Microsoft Entra Connect</a> that allows password changes in the cloud to be written back to an existing on-premises directory in real time. For more information on this feature, see <a href="../identity/authentication/concept-sspr-writeback" data-linktype="relative-path">How does self-service password reset writeback work in Microsoft Entra ID</a>.</p> </li> <li><p><strong>Microsoft Entra private network connector</strong> - Lightweight agents that sit on-premises and facilitate the outbound connection to the Application Proxy service. For more information, see <a href="../identity/app-proxy/application-proxy-connectors" data-linktype="relative-path">Understand Microsoft Entra private network connectors</a>.</p> </li> </ul> <h2 id="components-of-cloud-based-authentication">Components of cloud-based authentication</h2> <p>As part of an Azure cloud-based environment, the following items should be baselined and included in your monitoring and alerting strategy.</p> <ul> <li><p><strong>Microsoft Entra application proxy</strong> - This cloud service provides secure remote access to on-premises web applications. For more information, see <a href="../identity/app-proxy/application-proxy-connectors" data-linktype="relative-path">Remote access to on-premises applications through Microsoft Entra application proxy</a>.</p> </li> <li><p><strong>Microsoft Entra Connect</strong> - Services used for a Microsoft Entra Connect solution. For more information, see <a href="../identity/hybrid/connect/whatis-azure-ad-connect" data-linktype="relative-path">What is Microsoft Entra Connect</a>.</p> </li> <li><p><strong>Microsoft Entra Connect Health</strong> - Service Health provides you with a customizable dashboard that tracks the health of your Azure services in the regions where you use them. For more information, see <a href="../identity/hybrid/connect/whatis-azure-ad-connect" data-linktype="relative-path">Microsoft Entra Connect Health</a>.</p> </li> <li><p><strong>Microsoft Entra multifactor authentication</strong> - multifactor authentication requires a user to provide more than one form of proof for authentication. This approach can provide a proactive first step to securing your environment. For more information, see <a href="../identity/authentication/concept-mfa-howitworks" data-linktype="relative-path">Microsoft Entra multifactor authentication</a>.</p> </li> <li><p><strong>Dynamic groups</strong> - Dynamic configuration of security group membership for Microsoft Entra Administrators can set rules to populate groups that are created in Microsoft Entra ID based on user attributes. For more information, see <a href="../external-id/use-dynamic-groups" data-linktype="relative-path">Dynamic groups and Microsoft Entra B2B collaboration</a>.</p> </li> <li><p><strong>Conditional Access</strong> - Conditional Access is the tool used by Microsoft Entra ID to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane. For more information, see <a href="../identity/conditional-access/overview" data-linktype="relative-path">What is Conditional Access</a>.</p> </li> <li><p><strong>Microsoft Entra ID Protection</strong> - A tool that enables organizations to automate the detection and remediation of identity-based risks, investigate risks using data in the portal, and export risk detection data to your SIEM. For more information, see <a href="../id-protection/overview-identity-protection" data-linktype="relative-path">What is Microsoft Entra ID Protection</a>.</p> </li> <li><p><strong>Group-based licensing</strong> - Licenses can be assigned to groups rather than directly to users. Microsoft Entra ID stores information about license assignment states for users.</p> </li> <li><p><strong>Provisioning Service</strong> - Provisioning refers to creating user identities and roles in the cloud applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. For more information, see <a href="../identity/app-provisioning/how-provisioning-works" data-linktype="relative-path">How Application Provisioning works in Microsoft Entra ID</a>.</p> </li> <li><p><strong>Graph API</strong> - The Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources. After you register your app and get authentication tokens for a user or service, you can make requests to the Microsoft Graph API. For more information, see <a href="/en-us/graph/overview" data-linktype="absolute-path">Overview of Microsoft Graph</a>.</p> </li> <li><p><strong>Domain Service</strong> - Microsoft Entra Domain Services (AD DS) provides managed domain services such as domain join, group policy. For more information, see <a href="/en-us/entra/identity/domain-services/overview" data-linktype="absolute-path">What is Microsoft Entra Domain Services</a>.</p> </li> <li><p><strong>Azure Resource Manager</strong> - Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. For more information, see <a href="/en-us/azure/azure-resource-manager/management/overview" data-linktype="absolute-path">What is Azure Resource Manager</a>.</p> </li> <li><p><strong>Managed identity</strong> - Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Microsoft Entra authentication. For more information, see <a href="../identity/managed-identities-azure-resources/overview" data-linktype="relative-path">What are managed identities for Azure resources</a>.</p> </li> <li><p><strong>Privileged Identity Management</strong> - PIM is a service in Microsoft Entra ID that enables you to manage, control, and monitor access to important resources in your organization. For more information, see <a href="../id-governance/privileged-identity-management/pim-configure" data-linktype="relative-path">What is Microsoft Entra Privileged Identity Management</a>.</p> </li> <li><p><strong>Access reviews</strong> - Microsoft Entra access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed regularly to make sure only the right people have continued access. For more information, see <a href="../id-governance/access-reviews-overview" data-linktype="relative-path">What are Microsoft Entra access reviews</a>.</p> </li> <li><p><strong>Entitlement management</strong> - Microsoft Entra entitlement management is an <a href="../id-governance/identity-governance-overview" data-linktype="relative-path">identity governance</a> feature. Organizations can manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration. For more information, see <a href="../id-governance/entitlement-management-overview" data-linktype="relative-path">What is Microsoft Entra entitlement management</a>.</p> </li> <li><p><strong>Activity logs</strong> - The Activity log is an Azure <a href="/en-us/azure/azure-monitor/essentials/platform-logs-overview" data-linktype="absolute-path">platform log</a> that provides insight into subscription-level events. This log includes such information as when a resource is modified or when a virtual machine is started. For more information, see <a href="/en-us/azure/azure-monitor/essentials/activity-log" data-linktype="absolute-path">Azure Activity log</a>.</p> </li> <li><p><strong>Self-service password reset service</strong> - Microsoft Entra self-service password reset (SSPR) gives users the ability to change or reset their password. The administrator or help desk isn't required. For more information, see <a href="../identity/authentication/concept-sspr-howitworks" data-linktype="relative-path">How it works: Microsoft Entra self-service password reset</a>.</p> </li> <li><p><strong>Device services</strong> - Device identity management is the foundation for <a href="../identity/conditional-access/concept-conditional-access-grant" data-linktype="relative-path">device-based Conditional Access</a>. With device-based Conditional Access policies, you can ensure that access to resources in your environment is only possible with managed devices. For more information, see <a href="../identity/devices/overview" data-linktype="relative-path">What is a device identity</a>.</p> </li> <li><p><strong>Self-service group management</strong> - You can enable users to create and manage their own security groups or Microsoft 365 groups in Microsoft Entra ID. The owner of the group can approve or deny membership requests and can delegate control of group membership. Self-service group management features aren't available for mail-enabled security groups or distribution lists. For more information, see <a href="../identity/users/groups-self-service-management" data-linktype="relative-path">Set up self-service group management in Microsoft Entra ID</a>.</p> </li> <li><p><strong>Risk detections</strong> - Contains information about other risks triggered when a risk is detected and other pertinent information such as sign-in location and any details from Microsoft Defender for Cloud Apps.</p> </li> </ul> <h2 id="next-steps">Next steps</h2> <p>See these security operations guide articles:</p> <p><a href="security-operations-user-accounts" data-linktype="relative-path">Security operations for user accounts</a></p> <p><a href="security-operations-consumer-accounts" data-linktype="relative-path">Security operations for consumer accounts</a></p> <p><a href="security-operations-privileged-accounts" data-linktype="relative-path">Security operations for privileged accounts</a></p> <p><a href="security-operations-privileged-identity-management" data-linktype="relative-path">Security operations for Privileged Identity Management</a></p> <p><a href="security-operations-applications" data-linktype="relative-path">Security operations for applications</a></p> <p><a href="security-operations-devices" data-linktype="relative-path">Security operations for devices</a></p> <p><a href="security-operations-infrastructure" data-linktype="relative-path">Security operations for infrastructure</a></p> </div><div id="ms--inline-notifications" class="margin-block-xs" data-bi-name="inline-notification"></div><div id="assertive-live-region" role="alert" aria-live="assertive" class="visually-hidden" aria-relevant="additions" aria-atomic="true"></div> <div id="polite-live-region" role="status" aria-live="polite" class="visually-hidden" aria-relevant="additions" aria-atomic="true"></div> <!-- </content> --> </main><!-- recommendations section --><!-- end recommendations section --> <!-- feedback section --><section id="site-user-feedback-footer" class="font-size-sm margin-top-md" data-test-id="site-user-feedback-footer" data-bi-name="site-feedback-section"> <hr class="hr" /> <h2 id="feedback" class="title is-3">Feedback</h2> <div class="display-flex flex-wrap-wrap align-items-center"> <p class="font-weight-semibold margin-xxs margin-left-none">Was this page helpful?</p> <div class="buttons"> <button class="thumb-rating-button like button button-primary button-sm" data-test-id="footer-rating-yes" data-binary-rating-response="rating-yes" type="button" title="This article is helpful" data-bi-name="button-rating-yes" aria-pressed="false" > <span class="icon" aria-hidden="true"> <span class="docon docon-like"></span> </span> <span>Yes</span> </button> <button class="thumb-rating-button dislike button button-primary button-sm" data-test-id="footer-rating-no" data-binary-rating-response="rating-no" type="button" title="This article is not helpful" data-bi-name="button-rating-no" aria-pressed="false" > <span class="icon" aria-hidden="true"> <span class="docon docon-dislike"></span> </span> <span>No</span> </button> </div> </div><div class="display-flex flex-wrap-wrap margin-top-xxs"><div> <a data-bi-name="provide-feedback-cta" class="has-external-link-indicator" href="https://feedback.azure.com/d365community/forum/79b1327d-d925-ec11-b6e6-000d3a4f06a4" data-bi-name="product-feedback" > <span>Provide product feedback</span> </a></div></div> </section><!-- end feedback section --> <!-- feedback report section --><!-- end feedback report section --><aside id="ms--additional-resources-mobile" aria-label="Additional resources" class="display-none-desktop display-none-print" > <hr class="hr" hidden /> <h2 id="ms--additional-resources-mobile-heading" class="title is-3" hidden>Additional resources</h2> <section id="right-rail-recommendations-mobile" data-bi-name="recommendations" hidden></section> <section id="right-rail-training-mobile" data-bi-name="learning-resources-card" hidden></section> <section id="right-rail-events-mobile" data-bi-name="events-card" hidden></section> <section id="right-rail-qna-mobile" data-bi-name="qna-link-card" hidden></section> </aside><div class="border-top is-visible-interactive has-default-focus margin-top-sm "><footer id="footer-interactive" data-bi-name="footer" class="footer-layout"><div class="display-flex gap-xs flex-wrap-wrap is-full-height padding-right-lg-desktop"><a data-mscc-ic="false" class="locale-selector-link button button-sm button-clear flex-shrink-0" href="#" data-bi-name="select-locale"> <span class="icon" aria-hidden="true"> <span class="docon docon-world"></span> </span> <span class="local-selector-link-text"></span></a><div class="ccpa-privacy-link" data-ccpa-privacy-link hidden> <a href="https://aka.ms/yourcaliforniaprivacychoices" class="button button-sm button-clear flex-shrink-0" data-mscc-ic="false" data-bi-name="your-privacy-choices" > <svg role="img" aria-label="California Consumer Privacy Act (CCPA) Opt-Out Icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 30 14" xml:space="preserve" height="16" width="43" focusable="false" > <title>California Consumer Privacy Act (CCPA) Opt-Out Icon</title> <path d="M7.4 12.8h6.8l3.1-11.6H7.4C4.2 1.2 1.6 3.8 1.6 7s2.6 5.8 5.8 5.8z" style="fill-rule:evenodd;clip-rule:evenodd;fill:#fff"></path> <path d="M22.6 0H7.4c-3.9 0-7 3.1-7 7s3.1 7 7 7h15.2c3.9 0 7-3.1 7-7s-3.2-7-7-7zm-21 7c0-3.2 2.6-5.8 5.8-5.8h9.9l-3.1 11.6H7.4c-3.2 0-5.8-2.6-5.8-5.8z" style="fill-rule:evenodd;clip-rule:evenodd;fill:#06f"></path> <path d="M24.6 4c.2.2.2.6 0 .8L22.5 7l2.2 2.2c.2.2.2.6 0 .8-.2.2-.6.2-.8 0l-2.2-2.2-2.2 2.2c-.2.2-.6.2-.8 0-.2-.2-.2-.6 0-.8L20.8 7l-2.2-2.2c-.2-.2-.2-.6 0-.8.2-.2.6-.2.8 0l2.2 2.2L23.8 4c.2-.2.6-.2.8 0z" style="fill:#fff"></path> <path d="M12.7 4.1c.2.2.3.6.1.8L8.6 9.8c-.1.1-.2.2-.3.2-.2.1-.5.1-.7-.1L5.4 7.7c-.2-.2-.2-.6 0-.8.2-.2.6-.2.8 0L8 8.6l3.8-4.5c.2-.2.6-.2.9 0z" style="fill:#06f"></path> </svg> <span>Your Privacy Choices</span> </a> </div> <div class="flex-shrink-0"> <div class="dropdown has-caret-up"> <button class="dropdown-trigger button button-clear button-sm has-inner-focus theme-dropdown-trigger" aria-controls="theme-menu-interactive" aria-expanded="false" title="Theme" data-bi-name="theme"> <span class="icon"> <span class="docon docon-sun" aria-hidden="true"></span> </span> <span>Theme</span> <span class="icon expanded-indicator" aria-hidden="true"> <span class="docon docon-chevron-down-light"></span> </span> </button> <div class="dropdown-menu" id="theme-menu-interactive" role="menu"> <ul class="theme-selector padding-xxs" role="none"> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="light"> <span class="theme-light margin-right-xxs"> <span class="theme-selector-icon border display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>Light</span> </button> </li> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="dark"> <span class="theme-dark margin-right-xxs"> <span class="border theme-selector-icon display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>Dark</span> </button> </li> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="high-contrast"> <span class="theme-high-contrast margin-right-xxs"> <span class="border theme-selector-icon display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>High contrast</span> </button> </li> </ul> </div> </div> </div> </div> <ul class="links" data-bi-name="footerlinks"> <li class="manage-cookies-holder" hidden></li><li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/previous-versions/" data-bi-name="archivelink">Previous Versions</a></li> <li><a class="external-link-indicator" data-mscc-ic="false" href="https://techcommunity.microsoft.com/t5/microsoft-learn-blog/bg-p/MicrosoftLearnBlog" data-bi-name="bloglink">Blog</a></li> <li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/contribute/" data-bi-name="contributorGuide">Contribute</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="https://go.microsoft.com/fwlink/?LinkId=521839" data-bi-name="privacy">Privacy</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/legal/termsofuse" data-bi-name="termsofuse">Terms of Use</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="https://www.microsoft.com/legal/intellectualproperty/Trademarks/" data-bi-name="trademarks">Trademarks</a></li><li>&copy; Microsoft 2024</li> </ul> </footer></div></div><div id="ms--additional-resources" class="right-container column is-4-desktop display-none display-block-desktop" data-bi-name="pageactions" role="complementary" aria-label="Additional resources" > <div id="affixed-right-container" class="margin-top-sm-tablet" data-bi-name="right-column"> <h2 id="ms--additional-resources-heading" class="title is-6 margin-top-md" hidden>Additional resources</h2> <section id="right-rail-events" data-bi-name="events-card" hidden></section> <section id="right-rail-training" data-bi-name="learning-resources-card" hidden></section> <section id="right-rail-recommendations" data-bi-name="recommendations" hidden></section> <nav id="side-doc-outline" class="doc-outline" data-bi-name="intopic toc" aria-label="In this article"> <h3>In this article</h3> </nav> <section id="right-rail-qna" class="margin-top-xxs" data-bi-name="qna-link-card" hidden></section> </div> </div></div> <!--end of div.columns --> </section> <!--end of .primary-holder --> <!-- interactive container --> <aside id="interactive-container" class="interactive-container is-visible-interactive column has-body-background-dark "> </aside> <!-- end of interactive container --> </div> </div> <!--end of .mainContainer --> <section class="border-top has-default-focus is-hidden-interactive margin-top-sm "><footer id="footer" data-bi-name="footer" class="footer-layout uhf-container has-padding" role="contentinfo"><div class="display-flex gap-xs flex-wrap-wrap is-full-height padding-right-lg-desktop"><a data-mscc-ic="false" class="locale-selector-link button button-sm button-clear flex-shrink-0" href="#" data-bi-name="select-locale"> <span class="icon" aria-hidden="true"> <span class="docon docon-world"></span> </span> <span class="local-selector-link-text"></span></a><div class="ccpa-privacy-link" data-ccpa-privacy-link hidden> <a href="https://aka.ms/yourcaliforniaprivacychoices" class="button button-sm button-clear flex-shrink-0" data-mscc-ic="false" data-bi-name="your-privacy-choices" > <svg role="img" aria-label="California Consumer Privacy Act (CCPA) Opt-Out Icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 30 14" xml:space="preserve" height="16" width="43" focusable="false" > <title>California Consumer Privacy Act (CCPA) Opt-Out Icon</title> <path d="M7.4 12.8h6.8l3.1-11.6H7.4C4.2 1.2 1.6 3.8 1.6 7s2.6 5.8 5.8 5.8z" style="fill-rule:evenodd;clip-rule:evenodd;fill:#fff"></path> <path d="M22.6 0H7.4c-3.9 0-7 3.1-7 7s3.1 7 7 7h15.2c3.9 0 7-3.1 7-7s-3.2-7-7-7zm-21 7c0-3.2 2.6-5.8 5.8-5.8h9.9l-3.1 11.6H7.4c-3.2 0-5.8-2.6-5.8-5.8z" style="fill-rule:evenodd;clip-rule:evenodd;fill:#06f"></path> <path d="M24.6 4c.2.2.2.6 0 .8L22.5 7l2.2 2.2c.2.2.2.6 0 .8-.2.2-.6.2-.8 0l-2.2-2.2-2.2 2.2c-.2.2-.6.2-.8 0-.2-.2-.2-.6 0-.8L20.8 7l-2.2-2.2c-.2-.2-.2-.6 0-.8.2-.2.6-.2.8 0l2.2 2.2L23.8 4c.2-.2.6-.2.8 0z" style="fill:#fff"></path> <path d="M12.7 4.1c.2.2.3.6.1.8L8.6 9.8c-.1.1-.2.2-.3.2-.2.1-.5.1-.7-.1L5.4 7.7c-.2-.2-.2-.6 0-.8.2-.2.6-.2.8 0L8 8.6l3.8-4.5c.2-.2.6-.2.9 0z" style="fill:#06f"></path> </svg> <span>Your Privacy Choices</span> </a> </div> <div class="flex-shrink-0"> <div class="dropdown has-caret-up"> <button class="dropdown-trigger button button-clear button-sm has-inner-focus theme-dropdown-trigger" aria-controls="theme-menu" aria-expanded="false" title="Theme" data-bi-name="theme"> <span class="icon"> <span class="docon docon-sun" aria-hidden="true"></span> </span> <span>Theme</span> <span class="icon expanded-indicator" aria-hidden="true"> <span class="docon docon-chevron-down-light"></span> </span> </button> <div class="dropdown-menu" id="theme-menu" role="menu"> <ul class="theme-selector padding-xxs" role="none"> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="light"> <span class="theme-light margin-right-xxs"> <span class="theme-selector-icon border display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>Light</span> </button> </li> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="dark"> <span class="theme-dark margin-right-xxs"> <span class="border theme-selector-icon display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>Dark</span> </button> </li> <li class="theme display-block" role="menuitem"> <button class="button button-clear button-sm theme-control button-block justify-content-flex-start" data-theme-to="high-contrast"> <span class="theme-high-contrast margin-right-xxs"> <span class="border theme-selector-icon display-inline-block has-body-background" aria-hidden="true"> <svg class="svg" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 22 14"> <rect width="22" height="14" class="has-fill-body-background" /> <rect x="5" y="5" width="12" height="4" class="has-fill-secondary" /> <rect x="5" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="8" y="2" width="2" height="1" class="has-fill-secondary" /> <rect x="11" y="2" width="3" height="1" class="has-fill-secondary" /> <rect x="1" y="1" width="2" height="2" class="has-fill-secondary" /> <rect x="5" y="10" width="7" height="2" rx="0.3" class="has-fill-primary" /> <rect x="19" y="1" width="2" height="2" rx="1" class="has-fill-secondary" /> </svg> </span> </span> <span>High contrast</span> </button> </li> </ul> </div> </div> </div> </div> <ul class="links" data-bi-name="footerlinks"> <li class="manage-cookies-holder" hidden></li><li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/previous-versions/" data-bi-name="archivelink">Previous Versions</a></li> <li><a class="external-link-indicator" data-mscc-ic="false" href="https://techcommunity.microsoft.com/t5/microsoft-learn-blog/bg-p/MicrosoftLearnBlog" data-bi-name="bloglink">Blog</a></li> <li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/contribute/" data-bi-name="contributorGuide">Contribute</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="https://go.microsoft.com/fwlink/?LinkId=521839" data-bi-name="privacy">Privacy</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="/en-us/legal/termsofuse" data-bi-name="termsofuse">Terms of Use</a></li><li><a class="external-link-indicator" data-mscc-ic="false" href="https://www.microsoft.com/legal/intellectualproperty/Trademarks/" data-bi-name="trademarks">Trademarks</a></li><li>&copy; Microsoft 2024</li> </ul> </footer> </section> <div id="action-panel" role="region" aria-label="Action Panel" class="action-panel has-default-focus" tabindex="-1"></div> </body> </html>