question

JackyTse-2805 avatar image
0 Votes"
JackyTse-2805 asked vipulsparsh-MSFT commented

SignIn logs cannot ingest into the Azure Sentinel

I have recently activate a free trial Azure accounts with a trial P2 license then setup the Azure Sentinel. I have activated the Azure Active Directory and the Azure Activity connectors through the data connector page.

Audit logs, Usage and Azure Activity have been flow into the Sentinel successfully however no Signin logs have been seen so far. I have gone through the prerequisites in the connecting Azure AD to the Sentinel link (https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory) quite a few times. I have given myself a role of Contributor, Azure Sentinel Contributor, and Global admin, still no luck.

I have checked there are few forums have been talking about this:
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/signinlogs-are-not-showing-in-log-analytics-azure-monitor/m-p/1692381
https://techcommunity.microsoft.com/t5/azure-monitor/unable-to-view-signin-logs-in-log-analytics-workspace/m-p/895691

microsoft-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@JackyTse-2805 As in most of scenario it takes its own time to show the logs, I had seen a 24-48 hours delay. After taking this thread offline, you confirm that it took 72 hours for the logs to show up in your case. We will provide this feedback to concern team and update our docs as needed.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JackyTse-2805 avatar image
0 Votes"
JackyTse-2805 answered vipulsparsh-MSFT commented

@vipulsparsh-MSFT Thanks for reply. yes, I have now been waited for over 24 hours since I have set up the Azure AD and Sentinel. I still cannot get the signin logs either on the logs under Azure AD view or logs under the Azure Sentinel view (I assume they are the same). Should I continue to wait?

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JackyTse-2805 In most of the scenarios it just takes some time before it shows up. How much time has been elapsed since you added the connector ? Is it already been more than 24 hours ?

0 Votes 0 ·

@JackyTse-2805 Yes, until you have the logs under Azure AD view, you wont be able to see it under Sentinel, just give it some more time and let us know.

0 Votes 0 ·

@vipulsparsh-MSFT Thanks again. Are we excluded the insufficient permission possibility in this case? Will this related to the MS graph API? If non of them are related, I will then wait for another 24 hours.

0 Votes 0 ·

The time past 40 hours and I am still not getting the signin logs in the log analytics workspace. What am I missing?

0 Votes 0 ·
Show more comments