When having the Operational Glass on, you will know that only what is visible is also operational. This means that an Infrastructure that you operated in an On-Premises Environment also always depends on manageability and visibility. What would you do without see Warnings, Errors and Alerts in a central Environment? Would you check all Servers and Services one after the other? No, i don’t think so, most Company’s have a Monitoring and/or Log Aggregation Solution in place.
When you start now your Journey to Microsoft Azure, using SaaS Services, move Identitys and use App Connection Points, build your IaaS or PaaS Environment, what would you Expect? Microsoft will handle all that is hosted in Azure? No, sorry to disappoint you cause you are responsible for your Identitys and your Data. Maybe you know the Service Responsibility Sheet:
So when you already use a Monitoring or Log Aggregation Tool On-Premises, why not use it in the Cloud too? You can forward Monitoring Data from the Cloud also to On-Premises Solutions with Out-Of-The-Box Connectors and with Services like Event Hubs where you can present this Informations to be collected by On-Premises Monitoring Tools. And if this might now be possible or you may have a Cloud-Only Environment? That is also no Problem, cause Azure brings all it needs with it. Azure Monitor and Azure Log Analytics are two Tools that will bring a Performance Counter Measurement, Log Analysis Possibility and Alerting Solution with them. You can Display Real-Time-Data and also Data back in Time, stored for a small fee on a Azure Storage Account. Also Visualization with Dashboards is possible and easy to implement.
In any case i strongly recommend to collect the Azure AD Sign-In and Audit Logs to have a better view of what happens in your Tenant and who is doing what from where.
You need a Log Analytics Workspace, where the Logs can be forwarded to and where you can model Queries to Filter the Data for fitting your needs. Want to get informed when Global Admin Role Assignments are done? When your Break-Glass-Account is used, when risky Users are found or may Sign-in? All this is possible with some small lines of Code. And you can pin those Queries to your Monitoring Dashboard in the Azure Portal and will quickly be able to see them and interpret them.
This is just a rough overview of what is possible with Azure Monitoring, but maybe you see where the journey goes and what is possible. I think for most of the Cases it is fully fine and with every Service in Azure also comes a diagnose possibility. And with Services like Application Insights, that takes a deeper look into your consumed Applications or Azure Sentinel that helps with your Security demands, the Azure capability’s keep growing and offering more transparency and a easier way to operate your Environment.