Connect Azure Active Directory (Azure AD) data to Azure Sentinel
For information about feature availability in US Government clouds, see the Azure Sentinel tables in Cloud feature availability for US Government customers.
You can use Azure Sentinel's built-in connector to collect data from Azure Active Directory and stream it into Azure Sentinel. The connector allows you to stream the following log types:
Sign-in logs, which contain information about interactive user sign-ins where a user provides an authentication factor.
The Azure AD connector now includes the following three additional categories of sign-in logs, all currently in PREVIEW:
Non-interactive user sign-in logs, which contain information about sign-ins performed by a client on behalf of a user without any interaction or authentication factor from the user.
Service principal sign-in logs, which contain information about sign-ins by apps and service principals that do not involve any user. In these sign-ins, the app or service provides a credential on its own behalf to authenticate or access resources.
Managed Identity sign-in logs, which contain information about sign-ins by Azure resources that have secrets managed by Azure. For more information, see What are managed identities for Azure resources?
Audit logs, which contain information about system activity relating to user and group management, managed applications, and directory activities.
Provisioning logs (also in PREVIEW), which contain system activity information about users, groups, and roles provisioned by the Azure AD provisioning service.
An Azure Active Directory P1 or P2 license is required to ingest sign-in logs into Azure Sentinel. Any Azure AD license (Free/O365/P1/P2) is sufficient to ingest the other log types. Additional per-gigabyte charges may apply for Azure Monitor (Log Analytics) and Azure Sentinel.
Your user must be assigned the Azure Sentinel Contributor role on the workspace.
Your user must be assigned the Global Administrator or Security Administrator roles on the tenant you want to stream the logs from.
Your user must have read and write permissions to the Azure AD diagnostic settings in order to be able to see the connection status.
Connect to Azure Active Directory
In Azure Sentinel, select Data connectors from the navigation menu.
From the data connectors gallery, select Azure Active Directory and then select Open connector page.
Mark the check boxes next to the log types you want to stream into Azure Sentinel (see above), and select Connect.
Find your data
After a successful connection is established, the data appears in Logs, under the LogManagement section, in the following tables:
To query the Azure AD logs, enter the relevant table name at the top of the query window.
In this document, you learned how to connect Azure Active Directory to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data and potential threats.
- Get started detecting threats with Azure Sentinel.