Integrate Azure AD Connect Health ADFS Failed Logins and Lockout Events with Microsoft Cloud App Security
The ADFS auditing events for logon failures or account lockout collected by the Azure AD Connect Health agent for ADFS on all the on-premise ADFS servers are not shared with the central Azure Security solutions such as:
1. Azure AD Identity Protection
2. Office365 Cloud App Security (OCAS)
3. Microsoft Cloud App Security (MCAS).
There is no available method to integrate or correlate these events with the rest of the Azure security solutions. The result is that this limit heavily the brute force attacks detection on the ADFS infrastructure. The only available option is to collect the logs locally through the Windows Event Collection/Forwarding.
Thank you for your feedback.
We are planning to work with Azure Identity Protection team to have enhanced security features for ADFS.