Connect data from Azure Active Directory (Azure AD)

You can use Azure Sentinel's built-in connector to collect data from Azure Active Directory and stream it into Azure Sentinel. The connector allows you to stream sign-in logs and audit logs.

Prerequisites

  • Any Azure AD license (Free/O365/P1/P2) is sufficient to ingest sign-in logs into Azure Sentinel. Additional per-gigabyte charges may apply for Azure Monitor (Log Analytics) and Azure Sentinel.

  • Your user must be assigned the Azure Sentinel Contributor role on the workspace.

  • Your user must be assigned the Global Administrator or Security Administrator roles on the tenant you want to stream the logs from.

  • Your user must have read and write permissions to the Azure AD diagnostic settings in order to be able to see the connection status.

Connect to Azure Active Directory

  1. In Azure Sentinel, select Data connectors from the navigation menu.

  2. From the data connectors gallery, select Azure Active Directory and then select Open connector page.

  3. Mark the check boxes next to the logs you want to stream into Azure Sentinel, and click Connect.

  4. You can select whether you want the alerts from Azure AD to automatically generate incidents in Azure Sentinel. Under Create incidents select Enable to enable the default analytics rule that creates incidents automatically from alerts generated in the connected security service. You can then edit this rule under Analytics and then Active rules.

  5. To use the relevant schema in Log Analytics for querying Azure AD alerts, type SigninLogs or AuditLogs in the query window.

Next steps

In this document, you learned how to connect Azure Active Directory to Azure Sentinel. To learn more about Azure Sentinel, see the following articles: