2024 release wave 1 plans for Microsoft Dynamics 365 and Power Platform now available

2024 release wave 1 plans for Microsoft Dynamics 365 and Power Platform now available

This article is contributed. See the original author and article here.

On January 25, 2024, we published the 2024 release wave 1 plans for Microsoft Dynamics 365 and Microsoft Power Platform, a compilation of new capabilities planned to be released between April 2024 and September 2024. This first release wave of the year offers hundreds of new features and improvements, showcasing our ongoing commitment to fueling digital transformation for both our customers and partners.

This release reinforces our dedication to developing applications and experiences that contribute value to roles by dismantling barriers between data, insights, and individuals. This wave introduces diverse enhancements across various business applications, emphasizing improved user experiences, productivity, innovative app development and automation, and advanced AI capabilities. Watch a summary of the release highlights.

Explore a heightened level of convenience when examining Dynamics 365 and Microsoft Power Platform release plans using the release planner. Enjoy unmatched flexibility as you customize, filter, and sort plans to align with your preferences, effortlessly sharing them. Maintain organization, stay informed, and remain in control while smoothly navigating through various active waves of plans. For more information, visit the release planner.

Highlights from Dynamics 365 

Field engineer inspects electrical substation server room on a wind farm using remote assist with HoloLens2

Dynamics 365 release wave

Check out the 2024 release wave 1 early access features.

Microsoft Dynamics 365 Sales enhances customer understanding and boosts sales through data, intelligence, and user-friendly experiences. The 2024 release wave 1 focuses on providing sellers timely customer information, expediting deals with actionable insights, improving productivity, and empowering organizations through open configurability and expanded generative AI leadership. Check out this video about the most exciting features releasing this wave.

Microsoft Copilot for Sales continues to deliver and enhance cutting-edge generative AI capabilities for sellers by enriching the Copilot in Microsoft 365 capabilities with sales specific skills, data, and actions. Additionally, the team will focus on assisting sellers on the go within the Outlook and Microsoft Teams mobile apps.

Microsoft Dynamics 365 Customer Service will continue to empower agents to work more efficiently through Copilot, filtering response verification, diagnostic tools for admins and agents, and usability improvements to multi-session apps. Additionally, we’re making enhancements to the voice channel, and improving unified routing assignment accuracy and prioritization. Watch this video about the exciting new features in Customer Service.

Microsoft Dynamics 365 Field Service is a field service management application that allows companies to transform their service operations with processes and experiences to manage, schedule, and perform. In the 2024 release wave 1, we’re introducing the next generation of Copilot capabilities, modern experiences, Microsoft 365 integrations, vendor management, and Microsoft Dynamics 365 Finance and Microsoft Dynamics 365 Operations integration.

Microsoft Dynamics 365 Finance continues on its journey of autonomous finance, building intelligence, automation, and analytics around every business process, to increase user productivity and business agility. This release focuses on enhancing business performance planning and analytics, adding AI powered experiences, easing setup of financial dimension defaulting with AI rules guidance, increasing automation in bank reconciliation, netting, expanding country coverage, tax automation, and scalability. See how the latest enhancements to Dynamics 365 Finance can help your business.

Microsoft Dynamics 365 Supply Chain Management enhances business processes for increased insight and agility. Copilot skills improve user experiences, while demand planning transforms the forecast process, and warehouse processes are optimized for greater efficiency and accuracy. See how the latest enhancements to Dynamics 365 Supply Chain Management can help your business.

Microsoft Dynamics 365 Project Operations is focused on enhancing usability, performance, and scalability in key areas such as project planning, invoicing, time entry, and core transaction processing. The spotlight is on core functionality improvements, including support for discounts and fees, enhanced resource reconciliation, journals, approvals, and contract management, with added mobile capabilities to handle larger projects and invoices at an increased scale. See how the latest enhancements to Dynamics 365 Project Operations can help your business.

Microsoft Dynamics 365 Guides is bringing several new capabilities and enhancements including supporting high-detail 3D model support through Microsoft Azure Remote Rendering and greatly improved web content support that enable customers to build mixed reality workflows that are integrated with their business data. Additionally, support for Guides content on mobile will be generally available in the coming wave through a seamless integration with the Dynamics 365 Field Service mobile application.

Microsoft Dynamics 365 Human Resources will continue to improve recruiting experiences with functionality to integrate with external job portals and talent pools and offer management. We will continue to expand our human capital management ecosystem to include additional payroll partners and build better together experiences that span the gamut of what Microsoft can offer to improve employee experiences in corporations of any size and scale across the globe. See how the latest enhancements to Dynamics 365 Human Resources can help your business.

Microsoft Dynamics 365 Commerce continues to invest in omnichannel retail experiences through advancements in mobile point of sale experiences like Tap to Pay for iOS and offline capabilities for Store Commerce on Android. The business-to-business buying experience is enhanced with new capabilities, and a streamlined order management solution for buyers who work across multiple organizations.

Microsoft Dynamics 365 Business Central is delivering substantial enhancements, with a central emphasis on harnessing the power of Copilot. Available in more than 160 countries, the team is focused on Copilot-driven capabilities to streamline and enhance productivity through enhanced reporting and data analysis capabilities, elevated project and financial management, and simplified workflow automation. We have also upgraded our development and governance tools and introduced improvements in managing data privacy and compliance.

Microsoft Dynamics 365 Customer Insights – Data empowers every organization to unify and enhance customer data, using it for insightful analysis and intelligent actions. With this release, we’re making it easier and faster to ingest and manage your data. AI enables quick insights and democratized access to analytics. Real-time data ingestion, creation, and updates further enable the optimization of experiences in the moments that matter. Check out this video about the most exciting features releasing this wave.

Microsoft Dynamics 365 Customer Insights – Journeys brings the power of AI to revolutionize how marketers work, enabling businesses to optimize interactions with their customers with end-to-end journeys across departments and channels. With this release, we empower marketers with a deeper customer understanding, we enable them to create new experiences within minutes, reach customers in more ways, and continuously optimize results. Thanks to granular lead qualification, we continue to boost the synergy between sales and marketing to achieve superior business outcomes. Check out this video about the most exciting features releasing this wave.

Highlights from Microsoft Power Platform 

Microsoft Power Platform

Check out the 2024 release wave 1 early access features.

Close-up of hands holding a tablet.

Watch this video about the most exciting features releasing this wave in Microsoft Power Platform.

Microsoft Power Apps focuses on integrating Copilot to accelerate app development with AI and natural language, enhancing user reasoning and data insights in custom apps. The team is also simplifying the creation of modern apps through contemporary controls, responsive layouts, and collaboration features. Additionally, they’re facilitating enterprise-scale development, enabling makers and admins to expand apps across the organization with improved guardrails and quality assurance tools.

Microsoft Power Pages interactive Copilot now supports every step of site building to create intelligent websites—design, page layouts, content editing, data binding, learning, chatbot, accessibility checking, and securing the site. Connect to data anywhere with the out-of-the-box control library and secure the website with more insights at your fingertips.

Microsoft Power Automate is bringing Copilot capabilities across cloud flows, desktop flows and process mining. This will allow customers to use natural language to discover optimization opportunities, build automations, quickly troubleshoot any issues, and provide a delightful experience in managing the automation estate. For enterprise-scale solutions, maintenance is made easier with improved notifications on product capabilities.

Microsoft Copilot Studio brings native capabilities for extending Microsoft Copilot, general availability for generative actions, and geo-expansions to the United Arab Emirates, Germany, Norway, Korea, South America, and South Africa. We’re also introducing rich capabilities to integrate with OpenAI GPT models, along with new channels such as WhatsApp, and software lifecycle capabilities such as topic level import/export and role-based access control.

Microsoft Dataverse continues to make investments focusing on enhancing maker experience by improving app building productivity infused with Copilot experiences, seamless connectivity to external data sources, and AI-powered enterprise copilot for Microsoft 365.

AI Builder invests in three key areas: prompt builder for GPT prompts, intelligent document processing with new features and models, and AI governance improvements, including enhanced capacity management and data policies. These initiatives aim to empower users with advanced generative AI, streamline document processing, and strengthen governance across AI models within Power Apps.

Early access period 

Starting February 5, 2024, customers and partners will be able to validate the latest features in a non-production environment. These features include user experience enhancements that will be automatically enabled for users in production environments during April 2024. To take advantage of the early access period, try out the latest updates in a non-production environment and effectively plan for your customer rollout. Check out the 2024 release wave 1 early access features for Dynamics 365 and Microsoft Power Platform or visit the early access FAQ page. For a complete list of new capabilities, please check out the Dynamics 365 2024 release wave 1 plan and the Microsoft Power Platform 2024 release wave 1 plan, and share your feedback in the community forums via Dynamics 365 or Microsoft Power Platform.

The post 2024 release wave 1 plans for Microsoft Dynamics 365 and Power Platform now available appeared first on Microsoft Dynamics 365 Blog.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Invite You to Be a Global Azure 2024 Organizer

Invite You to Be a Global Azure 2024 Organizer

This article is contributed. See the original author and article here.

Global Azure, a global community effort where local Azure communities host events for local users, has been gaining popularity year by year for those interested in learning about Microsoft Azure and Microsoft AI, alongside other Azure users. The initiative saw great success last year, with the Global Azure 2023 event featuring over 100 local community-led events, nearly 500 speakers, and about 450 sessions delivered across the globe. We have highlighted these local events in our blog post, Global Azure 2023 Led by Microsoft MVPs Around the World.


RieMoriguchi_0-1706147508529.png


 


 


Looking ahead, Global Azure 2024 is scheduled from April 18 to 20, and its call for organizer who host these local events has begun. In this blog, we showcase the latest news about Global Azure to a wider audience, including messages from the Global Azure Admin Team. This year, we will directly share the essence of Global Azure’s appeal through the words of Rik Hepworth (Microsoft Azure MVP and Regional Director) and Magnus Mårtensson (Microsoft Azure MVP and Regional Director). We invite you to consider becoming a part of this global initiative, empowering Azure users worldwide by stepping up as an organizer.


Rik Hepworth.jpgMagnus Mårtensson.jpg


 


What’s New in Global Azure 2024?


For Global Azure 2024 we are doing multiple new things:



  • Last year we started a collaboration with the Microsoft Learn Student Ambassador program. This year we will build on this start to further expand the activation among young professionals to join Global Azure and learn about our beloved cloud platform. As experienced community leaders, no task can be more worthy than to nurture the next generation of community leaders. We are working with the MLSA program to help young professionals arrange their first community meetups, or to join a meetup local to them and become involved in community work. We are asking experienced community leaders to mentor these young professionals to become budding new community leaders, they need guidance in how to organize a successful first Azure learning event!


 



  • For the -24 edition of our event, we are working on a self-service portal for both event organizers and event attendees, to access and claim sponsorships that companies give to Global Azure. As a community leader you will sign in and see the list of attendees at your location. You can share sponsorships directly with the attendees and the people who attend your event can claim the benefits from our portal.


 


What benefits can the organizers gain from hosting a local Global Azure event?


There is no better way to learn about something, about anything, than to collaborate with like-minded people in the learning process. We have been in communities for tech enthusiasts for many years; some of our best friends are cloud people we have met through communities, and the way we learn the most is from deep discussions with people we trust and know. Hosting a Global Azure Community event for the first time could be the start of a new network of great people who know and like the same things and who also need to continuously want to and need to learn more about the cloud. For us, community is work-life and within communities we find the best and most joyful parts of being in tech.


 


Message to the organizers looking forward to hosting local Global Azure events


For community by community – that is our guiding motto for Global Azure. We are community, and learning happens here! As a hero, it is your job to set up a fun agenda full of learning, and to drive the event when it happens. It is hugely rewarding to be involved in community work, at least if we are to believe the people who approach us wherever we go – “I really like Global Azure, it is the most fun community event we host in our community in X each year”. This is passion, and this is tech-geekery when it is at its best. You are part of the crowd that drives learning and that makes people enthusiastic about their work and about technology. We hope that your Global Azure event is a great success and that it leads to more learners of Azure near you becoming more active and sharing with their knowledge – as our motto states!


 


Additional message from Rik and Magnus


Global Azure has global reach to Azure cloud tech people everywhere. We are looking for additional sponsors who want to have the potential to reach these people. You need to give something away, like licenses or other giveaways to become a sponsor. When you do we can in turn ensure that everyone sees that yours is a company that backs the community for tech and who supports learning.


 


This year, we are also particularly keen to hear from our MVP friends who have struggled in the past with finding a location for their event but have a Microsoft office, or event space nearby. We are keen to see if we can help, but we need people to reach out to us so we can make the right connections.


 


If anyone out there in the community is interested in stepping up to a global context, we are often looking for additional people to join the Global Azure Admins team.


 


Azure is big, broad, wide, and deep – there are so many different topics and technologies that are a part of Azure. Withing Global Azure anything goes! AI is a very valid Global Azure focus, because AI happens on the Azure platform and somehow data needs to be securely transported to, ingested, and stored in Azure. Compute can happen in so many ways in the cloud and you can be part of using the cloud as an IT Pro management/admin community as well as a developer community. We have SecOps, FinOps, DevOps (all the Ops!!). Global Azure is also very passionate about building an inclusive and welcoming community around the world that includes young people and anybody who is underrepresented in our industry.


 


To find out more, head to https://globalazure.net and read our #HowTo guide. We look forward to seeing everyone’s pins appear on our map.

Bring virtual connections to life with Microsoft Mesh, now generally available in Microsoft Teams

Bring virtual connections to life with Microsoft Mesh, now generally available in Microsoft Teams

This article is contributed. See the original author and article here.

We are thrilled to announce that Microsoft Mesh is now generally available. Experience Mesh today in Microsoft Teams and elevate your meetings with immersive virtual spaces.

The post Bring virtual connections to life with Microsoft Mesh, now generally available in Microsoft Teams appeared first on Microsoft 365 Blog.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Agentless Container Posture Management in Multicloud

Agentless Container Posture Management in Multicloud

This article is contributed. See the original author and article here.

 


Container security is an integral part of Microsoft Defender for Cloud, a Cloud Native Application Platform (CNAPP) as it addresses the unique challenges presented by containerized environments, providing a holistic approach to securing applications and infrastructure in the cloud-native landscape. As organizations embrace multicloud, the silos between cloud environments can become barriers for a holistic approach to container security. Defender for Cloud continues to adapt, offering new capabilities that resonate with the fluidity of multicloud architecture. Our latest additions to AWS and GCP seamlessly traverse cloud silos and provide a comprehensive and unified view of container security posture. 


 


Container image scanning for AWS and GCP managed repositories  


Container vulnerability assessment scanning powered by Microsoft Defender Vulnerability Management is now extended to AWS and GCP including Elastic Container Registry (ECR), Google Artifact Registry (GAR) and Google Container Registry (GCR). Using Defender Cloud Security Posture Management and Defender for Containers, organizations are now able to view vulnerabilities detected on their AWS and GCP container images at both registry and runtime, all within a single pane of glass. 


 


With this in-house scanner, we provide the following key benefits for container image scanning:


 



  • Agentless vulnerability assessment for containers: MDVM scans container images in your Azure Container Registry (ACR), Elastic Container Registry (ECR) and Google Artifact Registry (GAR) without the need to deploy an agent. After enabling this capability, you authorize Defender for Cloud to scan your container images.  

  • Zero configuration for onboarding: Once enabled, all images stored in ACR, ECR and GAR are automatically scanned for vulnerabilities without extra configuration or user input. 

  • Near real-time scan of new images: Defender for Cloud backend receives a notification when a new image is pushed to the registry; they are added to the queue to be scanned immediately.  

  • Daily refresh of vulnerability reports: Vulnerability reports are refreshed every 24hrs for images previously scanned that were pulled in the last 30 days (Azure only), pushed to the registry in the last 90 days or currently running on the Azure Kubernetes Service (AKS) cluster, Elastic Kubernetes Service (EKS) cluster or Google Kubernetes Engine (GKE).  

  • Coverage for both ship and runtime: Container image scanning powered by MDVM shows vulnerability reports for both images stored in the registry and images running on the cluster.  

  • Support for OS and language packages: MDVM scans both packages installed by the OS package manager in Linux and language specific packages and files, and their dependencies. 

  • Real-world exploitability insights (based on CISA kev, exploit DB and more)  

  • Support for ACR private links: MDVM scans images in container registries that are accessible via Azure Private Link if allow access by trusted services is enabled. 


 


The use of a single, in-house scanner provides a unified experience across all three clouds for detecting and identifying vulnerabilities on your container images. By enabling “Agentless Container Vulnerability Assessment” in Defender for Containers or Defender CSPM, at no additional cost, your container registries in AWS and GCP are automatically identified and scanned without the need for deploying additional resources in either cloud environment. This SaaS solution for container image scanning streamlines the process for discovering vulnerabilities in your multicloud environment and ensures quick integration into your multicloud infrastructure without causing operational friction.  


 


Through both Defender CSPM and Defender for Containers, results from container image scanning powered by MDVM are added into the Security graph for enhanced risk hunting. Through Defender CSPM, they are also used in calculation of attack paths to identify possible lateral movements an attacker could take to exploit your containerized environment.  


 


Discover vulnerable images in Elastic Container RegistriesDiscover vulnerable images in Elastic Container Registries


 


Discover vulnerable images in Google Artifact Registry and Google Container RegistryDiscover vulnerable images in Google Artifact Registry and Google Container Registry


 


 


Unified Vulnerability Assessment solution across workloads and clouds 


Microsoft Defender Vulnerability Management (MDVM) is now the unified vulnerability scanner for container security across Azure, AWS and GCP. In Defender for Cloud, unified Vulnerability Assessment powered by Defender Vulnerability Management, we shared more insights about the decision to use MDVM, with the goal being to enable organizations to have a single, consistent vulnerability assessment solution across all cloud environments. 


 


Vulnerability assessment scanning powered by Microsoft Defender Vulnerability Management for Azure Container Registry images is already generally available. Support for AWS and GCP is now public preview and provides a consistent experience across all three clouds.  


With the general availability of container vulnerability assessment scanning powered by Microsoft Defender Vulnerability Management, we also announced retirement of Qualys container image scanning in Defender for Cloud. Retirement of Qualys container image scanning is set for March 1st, 2024. 


 


 To prepare for the retirement of Qualys container image scanning and consider the following resources: 



 


Agentless Inventory Capabilities & Risk-Hunting with Cloud Security Explorer 


Leaving zero footprint, agentless discovery for Kubernetes performs API-based discovery of your Google Kubernetes Engine (GKE) and Elastic Kubernetes Service (EKS) clusters, their configurations, and deployments. Agentless discovery is a less intrusive approach to Kubernetes discovery as it minimizes impact and footprint on the Kubernetes cluster by avoiding additional installation of agents and resource consumption. 


 


Through the agentless discovery of Kubernetes and integration with the Cloud Security Explorer, organizations can explore the Kubernetes data plane, services, images, configurations of their container environments and more to easily monitor and manage their assets. 


Discover your multicloud Kubernetes cluster in a single view.Discover your multicloud Kubernetes cluster in a single view.


 


 


fkortor_3-1706017660015.png


 


 


View Kubernetes data plane inventoryView Kubernetes data plane inventory


 


 


Using the Cloud Security Explorer, organizations can also hunt for risks to their Kubernetes environments which include Kubernetes-specific security insights such as pod and node level internet exposure, running vulnerable images and privileged containers. 


 


fkortor_5-1706017660020.png


 


 


Hunt for risk such as privileged containersHunt for risk such as privileged containers


 


 


 


Defender Cloud Security Posture Management now complete with multicloud Kubernetes Attack Paths 


 


Multicloud organizations using Defender CSPM can now leverage the Attack path analysis to visualize risks and threats to their Kubernetes environments, allowing them to get a complete view of potential threats across all three cloud environments. Attack path analysis utilizes environment context including insights from Agentless Discovery of Kubernetes and Agentless Container Vulnerability scanning to expose exploitable paths that attackers may use to breach your environment. Reported Attack paths help prioritize posture issues that matter most in your environment and help you get a head of threats to your Kubernetes environment.  


 


fkortor_7-1706017660025.png


 


fkortor_8-1706017660029.png


 


 



 


Next Steps 



 


Reviewers:


Maya Herskovic, Senior PM Manager, Defender for Cloud


Tomer Spivak, Senior Product Manager, Defender for Cloud


Mona Thaker, Senior Product Marketing Manager, Defender for Cloud

Collect Event Ids using Azure Monitor Agent

Collect Event Ids using Azure Monitor Agent

This article is contributed. See the original author and article here.

Introduction


Hello everyone, I am Bindusar (CSA) working with Intune. I have received multiple requests from customers asking to collect specific event IDs from internet-based client machines with either Microsoft Entra ID or Hybrid Joined and upload to Log Analytics Workspace for further use cases. There are several options available like:



  • Running a local script on client machines and collecting logs. Then using “Send-OMSAPIIngestionFile” to upload required information to Log Analytics Workspace.


The biggest challenge with this API is to allow client machines to authenticate directly in Log Analytics Workspace. If needed, Brad Watts already published a techcommunity blog here.


Extending OMS with SCCM Information – Microsoft Community Hub



  • Using Log analytics agent. However, it is designed to collect event logs from Azure Virtual Machines.


Collect Windows event log data sources with Log Analytics agent in Azure Monitor – Azure Monitor | Microsoft Learn



  • Use of Monitoring Agent to collect certain types of events like Warning, Errors, Information etc and upload to Log Analytics Workspace. However, in monitoring agent, it was difficult to customize it to collect only certain event IDs. Also, it will be deprecated soon.


Log Analytics agent overview – Azure Monitor | Microsoft Learn


 


In this blog, I am trying to extend this solution to Azure Monitor Agent instead. Let’s try to take a scenario where I am trying to collect Security Event ID 4624 and upload it to Event Table of Log Analytics Workspace.


 


Event ID 4624 is generated when a logon session is created. It is one of the most important security events to monitor, as it can provide information about successful and failed logon attempts, account lockouts, privilege escalation, and more. Monitoring event ID 4624 can help you detect and respond to potential security incidents, such as unauthorized access, brute force attacks, or lateral movement.


 


In following steps, we will collect event ID 4624 from Windows client machines using Azure Monitor Agent and store this information in Log Analytics workspace. Azure Monitor Agent is a service that collects data from various sources and sends it to Azure Monitor, where you can analyse and visualize it. Log Analytics workspace is a container that stores data collected by Azure Monitor Agent and other sources. You can use Log Analytics workspace to query, alert, and report on the data.


 


Prerequisites


Before you start, you will need the following:



  • A Windows client that you want to monitor. Machine should be Hybrid or Entra ID joined.

  • An Azure subscription.

  • An Azure Log Analytics workspace.

  • An Azure Monitor Agent.


 


Steps


To collect event ID 4624 using Azure Monitor Agent, follow these steps:


If you already have a Log Analytics workspace where you want to collect the events, you can move to step #2 where we need to create a DCR. A table named “Events” (not custom) will be used to collect all the events specified.


1.    Steps to create Log Analytics Workspace


1.1            Login to Azure portal and search for Log analytics Workspace


Bindusar_1-1706026392079.png


 


1.2            Select and Create after providing all required information.


Bindusar_2-1706026392093.png


 


2.    Creating a Data Collection Rule (DCR)


Detailed information about data collection rule can be found at following. However, for the granularity of this blog, we will extract the required information to achieve our requirements.


Data collection rules in Azure Monitor – Azure Monitor | Microsoft Learn


2.1            Permissions


Monitoring Contributor” on Subscription, Resource Group and DCR is required.


Reference: Create and edit data collection rules (DCRs) in Azure Monitor – Azure Monitor | Microsoft Learn


2.2            Steps to create DCR.


For PowerShell lovers, following steps can be referred.


Create and edit data collection rules (DCRs) in Azure Monitor – Azure Monitor | Microsoft Learn



  • Login to Azure portal and navigate to Monitor.


Bindusar_3-1706026440726.png


 



  • Locate Data collection Rules on Left Blade.


Bindusar_4-1706026440737.png


 



  • Create a New Data Collection Rule and Provide required details. Here we are demonstrating Platform Type Windows


Bindusar_5-1706026440745.png


 



  • Resources option talks about downloading an Azure Monitor Agent which we need to install on client machines. Please select link to “Download the client installer” and save it for future steps.


Bindusar_6-1706026440752.png


 



  • Under Collect and deliver, collect talks about “what” needs to be collected and deliver talks about “where” collected data will be saved. Click on Add data source and select Windows Event Logs for this scenario.


Bindusar_7-1706026440756.png


 


Bindusar_8-1706026440759.png


 



  • In this scenario, we are planning to collect Event ID 4624 from Security Logs. By default, under Basic, we do not have such option and thus we will be using Custom.


Bindusar_9-1706026440766.png


 


Customer uses XPath format. XPath entries are written in the form LogName!XPathQuery. For example, in our case, we want to return only events from the Security event log with an event ID of 4624. The XPathQuery for these events would be *[System[EventID=4624]]. Because you want to retrieve the events from the Security event log, the XPath is Security!*[System[EventID=4624]]. To get more information about how to consume event logs, please refer to following doc.


Consuming Events (Windows Event Log) – Win32 apps | Microsoft Learn


 


Bindusar_10-1706026440769.png


 



  • Next is to select the Destination where logs will be stored. Here we are selecting the Log analytics workspace which we created in steps 1.2.


Bindusar_11-1706026440773.png


 



  • Once done, Review and Create the rule.


2.3            Creating Monitoring Object and Associating it with DCR.


You need to create a ‘Monitored Object’ (MO) that creates a representation for the Microsoft Entra tenant within Azure Resource Manager (ARM). This ARM entity is what Data Collection Rules are then associated with. This Monitored Object needs to be created only once for any number of machines in a single Microsoft Entra tenant. Currently this association is only limited to the Microsoft Entra tenant scope, which means configuration applied to the Microsoft Entra tenant will be applied to all devices that are part of the tenant and running the agent installed via the client installer.


Bindusar_12-1706026440778.png


 


Here, we are using a PowerShell script to create and map Monitoring Object to DCR.


Reference: Set up the Azure Monitor agent on Windows client devices – Azure Monitor | Microsoft Learn


Following things to keep in mind:



  1. The Data Collection rules can only target the Microsoft Entra tenant scope. That is, all DCRs associated to the tenant (via Monitored Object) will apply to all Windows client machines within that tenant with the agent installed using this client installer. Granular targeting using DCRs is not supported for Windows client devices yet.

  2. The agent installed using the Windows client installer is designed for Windows desktops or workstations that are always connected. While the agent can be installed via this method on client machines, it is not optimized for battery consumption and network limitations.

  3. Action should be performed by Tenant Admin as one-time activity. Steps mentioned below gives the Microsoft Entra admin ‘owner’ permissions at the root scope.


 


 


#Make sure execution policy is allowing to run the script.
Set-ExecutionPolicy unrestricted

#Define the following information
$TenantID = ""  #Your Tenant ID
$SubscriptionID = "" #Your Subscription ID where Log analytics workspace was created.
$ResourceGroup = "Custom_Inventory" #Your resroucegroup name where Log analytics workspace was created.


$Location = "eastus" #Use your own location. “location" property value under the "body" section should be the Azure region where the Monitor object would be stored. It should be the "same region" where you created the Data Collection Rule. This is the location of the region from where agent communications would happen.


$associationName = "EventTOTest1_Agent" #You can define your custom associationname, must change the association name to a unique name, if you want to associate multiple DCR to monitored object.

$DCRName = "Test1_Agent" #Your Data collection rule name.


#Just to ensure that we have all modules required.

If(Get-module az -eq $null)
{
    Install-Module az
    Install-Module Az.Resources
    Import-Module az.accounts
}

#Connecting to Azure Tenant using Global Admin ID
Connect-AzAccount -Tenant $TenantID

#Select the subscription
Select-AzSubscription -SubscriptionId $SubscriptionID

#Grant Access to User at root scope "/"
$user = Get-AzADUser -UserPrincipalName (Get-AzContext).Account

New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id

#Create Auth Token
$auth = Get-AzAccessToken

$AuthenticationHeader = @{
    "Content-Type" = "application/json"
    "Authorization" = "Bearer " + $auth.Token
    }



#1. Assign ‘Monitored Object Contributor’ Role to the operator.
$newguid = (New-Guid).Guid
$UserObjectID = $user.Id

$body = @"
{
            "properties": {
                "roleDefinitionId":"/providers/Microsoft.Authorization/roleDefinitions/56be40e24db14ccf93c37e44c597135b",
                "principalId": `"$UserObjectID`"
        }
}
"@

$requestURL = "https://management.azure.com/providers/microsoft.insights/providers/microsoft.authorization/roleassignments/$newguid`?api-version=2020-10-01-preview"


Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method PUT -Body $body


##

#2. Create Monitored Object


$requestURL = "https://management.azure.com/providers/Microsoft.Insights/monitoredObjects/$TenantID`?api-version=2021-09-01-preview"
$body = @"
{
    "properties":{
        "location":`"$Location`"
    }
}
"@

$Respond = Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method PUT -Body $body -Verbose
$RespondID = $Respond.id

##

#3. Associate DCR to Monitored Object
#See reference documentation https://learn.microsoft.com/en-us/rest/api/monitor/data-collection-rule-associations/create?tabs=HTTP

$requestURL = "https://management.azure.com$RespondId/providers/microsoft.insights/datacollectionruleassociations/$associationName`?api-version=2021-09-01-preview"
$body = @"
        {
            "properties": {
                "dataCollectionRuleId": "/subscriptions/$SubscriptionID/resourceGroups/$ResourceGroup/providers/Microsoft.Insights/dataCollectionRules/$DCRName"
            }
        }

"@

Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method PUT -Body $body


#IN case you want to create more than DCR, use following in comments.


#Following step is to query the created objects.
#4. (Optional) Get all the associatation.
$requestURL = "https://management.azure.com$RespondId/providers/microsoft.insights/datacollectionruleassociations?api-version=2021-09-01-preview"
(Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method get).value 

 


 


 


3. Client-side activity


3.1            Prerequisites:


Reference: Set up the Azure Monitor agent on Windows client devices – Azure Monitor | Microsoft Learn



  1. The machine must be running Windows client OS version 10 RS4 or higher.

  2. To download the installer, the machine should have C++ Redistributable version 2015) or higher

  3. The machine must be domain joined to a Microsoft Entra tenant (AADj or Hybrid AADj machines), which enables the agent to fetch Microsoft Entra device tokens used to authenticate and fetch data collection rules from Azure.

  4. The device must have access to the following HTTPS endpoints:

    • global.handler.control.monitor.azure.com

    • .handler.control.monitor.azure.com (example: westus.handler.control.azure.com)

    • .ods.opinsights.azure.com (example: 12345a01-b1cd-1234-e1f2-1234567g8h99.ods.opinsights.azure.com) (If using private links on the agent, you must also add the data collection endpoints)




3.2            Installing the Azure Monitoring Agent Manually



  • Use the Windows MSI installer for the agent which we downloaded in step 1.3 while creating the DCR.

  • Navigate to downloaded file and run that as administrator. Follow the steps like configuring proxy etc as per your need and finish the setup.

  • Following screenshots can be referred to install manually on selected client machines to test.


Bindusar_13-1706026887723.png


 


Bindusar_14-1706026887727.png


 


Bindusar_15-1706026887730.png


 


Bindusar_16-1706026887733.png


 


Bindusar_17-1706026887735.png


 


This needs Admin permissions on local machine.


Bindusar_18-1706026887739.png


 



  • Verify successful installation:

    • Open Services and confirm ‘Azure Monitor Agent’ is listed and shows as Running.




 


Bindusar_19-1706026887746.png


 



  • Open Control Panel -> Programs and Features OR Settings -> Apps -> Apps & Features and ensure you see ‘Azure Monitor Agent’ listed.


 


Bindusar_20-1706026887755.png


 


 


 


3.3            Installation of Azure Monitor Agent using Intune.



  • Login to Intune Portal and navigate to Apps.


Bindusar_21-1706026887757.png


 



  • Click on +Add to create a new app. Select Line-of-business app.


Bindusar_22-1706026887761.png


 



  • Locate the Agent file which was downloaded in section 2.2 during DCR creation.


 


Bindusar_23-1706026887765.png


 



  • Provide the required details like scope tags and groups to deploy.


Bindusar_24-1706026887771.png


 



  • Assign and Create.

  • Ensure that machines are already installed with C++ Redistributable version 2015) or higher. If not, please create another package as dependent of this application. If you do not do that, Azure Monitoring Agent will be stuck in Install Pending State.


 


 


4.    Verification of configuration.


Its time to validate the configuration and data collected.


4.1            Ensure that the Monitoring Object is mapped with data collection rule.


To do this, navigate to Azure Portal > Monitor > Data collection rule > Resources. A new custom monitored object should be created.


Bindusar_25-1706026989001.png


 


4.2            Ensure that Azure Monitor Agents are Connected.


To do this, navigate to Azure Portal > Log Analytics Workspaces > Your workspace which was created at the beginning > Agents > Focus on Windows Computers Connected Via Azure Monitor Windows Agents on Left Side.


Bindusar_26-1706026989008.png


 


4.3            Ensure that the client machines can send required data.


To check this, navigate to Azure Portal > Log Analytics workspaces > Your workspace which was created at the beginning > Tables. Events table must be created.


Bindusar_27-1706026989015.png


 


4.4            Ensure that required data is captured.


To access the event logs captured, navigate to Azure Portal > Log Analytics workspaces > Your workspace which was created at the beginning > Logs and run KQL query.


Event


| where EventID == 4624


Bindusar_28-1706026989034.png


 


Conclusion


Collecting event IDs, like Event ID 4624 from Windows clients is a useful way to track user logon activities and identify any suspicious or unauthorized actions. By using Azure Monitor Agent and Log Analytics workspace, you can easily configure, collect, store, and analyse this data in a scalable and easy way. You can also leverage the powerful features of the Log Analytics query language (KQL) and portal to create custom queries, filters, charts, and dashboards to visualize and monitor the logon events. You can further refer this data in PowerBI reports as well.


We would like to thank you for reading this article and hope you found it useful and informative.


If you want to learn more about Azure Monitor and Log Analytics, you can visit our official documentation page and follow our blog for the latest updates and news.