Connect data from Azure Active Directory (Azure AD)
Any Azure AD license (Free/O365/P1/P2) is sufficient to ingest sign-in logs into Azure Sentinel. Additional per-gigabyte charges may apply for Azure Monitor (Log Analytics) and Azure Sentinel.
Your user must be assigned the Azure Sentinel Contributor role on the workspace.
Your user must be assigned the Global Administrator or Security Administrator roles on the tenant you want to stream the logs from.
Your user must have read and write permissions to the Azure AD diagnostic settings in order to be able to see the connection status.
Connect to Azure Active Directory
In Azure Sentinel, select Data connectors from the navigation menu.
From the data connectors gallery, select Azure Active Directory and then select Open connector page.
Mark the check boxes next to the logs you want to stream into Azure Sentinel, and click Connect.
You can select whether you want the alerts from Azure AD to automatically generate incidents in Azure Sentinel. Under Create incidents select Enable to enable the default analytics rule that creates incidents automatically from alerts generated in the connected security service. You can then edit this rule under Analytics and then Active rules.
To use the relevant schema in Log Analytics for querying Azure AD alerts, type
AuditLogsin the query window.
In this document, you learned how to connect Azure Active Directory to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel.