Connect data from Azure Active Directory
If you want to export sign-in data from Active Directory, you must have an Azure AD P1 or P2 license.
User with global admin or security admin permissions on the tenant you want to stream the logs from.
To be able to see the connection status, you must have permission to access Azure AD diagnostic logs.
Connect to Azure AD
In Azure Sentinel, select Data connectors and then click the Azure Active Directory tile.
Next to the logs you want to stream into Azure Sentinel, click Connect.
You can select whether you want the alerts from Azure AD to automatically generate incidents in Azure Sentinel. Under Create incidents select Enable to enable the default analytic rule that creates incidents automatically from alerts generated in the connected security service. You can then edit this rule under Analytics and then Active rules.
To use the relevant schema in Log Analytics for the Azure AD alerts, search for SigninLogs and AuditLogs.
In this document, you learned how to connect Azure AD to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel.