Connect Azure Active Directory (Azure AD) data to Azure Sentinel

Important

As indicated below, some of the available log types are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Note

For information about feature availability in US Government clouds, see the Azure Sentinel tables in Cloud feature availability for US Government customers.

You can use Azure Sentinel's built-in connector to collect data from Azure Active Directory and stream it into Azure Sentinel. The connector allows you to stream the following log types:

  • Sign-in logs, which contain information about interactive user sign-ins where a user provides an authentication factor.

    The Azure AD connector now includes the following three additional categories of sign-in logs, all currently in PREVIEW:

  • Audit logs, which contain information about system activity relating to user and group management, managed applications, and directory activities.

  • Provisioning logs (also in PREVIEW), which contain system activity information about users, groups, and roles provisioned by the Azure AD provisioning service.

Prerequisites

  • An Azure Active Directory P1 or P2 license is required to ingest sign-in logs into Azure Sentinel. Any Azure AD license (Free/O365/P1/P2) is sufficient to ingest the other log types. Additional per-gigabyte charges may apply for Azure Monitor (Log Analytics) and Azure Sentinel.

  • Your user must be assigned the Azure Sentinel Contributor role on the workspace.

  • Your user must be assigned the Global Administrator or Security Administrator roles on the tenant you want to stream the logs from.

  • Your user must have read and write permissions to the Azure AD diagnostic settings in order to be able to see the connection status.

Connect to Azure Active Directory

  1. In Azure Sentinel, select Data connectors from the navigation menu.

  2. From the data connectors gallery, select Azure Active Directory and then select Open connector page.

  3. Mark the check boxes next to the log types you want to stream into Azure Sentinel (see above), and select Connect.

Find your data

After a successful connection is established, the data appears in Logs, under the LogManagement section, in the following tables:

  • SigninLogs
  • AuditLogs
  • AADNonInteractiveUserSignInLogs
  • AADServicePrincipalSignInLogs
  • AADManagedIdentitySignInLogs
  • AADProvisioningLogs

To query the Azure AD logs, enter the relevant table name at the top of the query window.

Next steps

In this document, you learned how to connect Azure Active Directory to Azure Sentinel. To learn more about Azure Sentinel, see the following articles: