Connect data from Azure Active Directory (Azure AD)
Any Azure AD license (Free/O365/P1/P2) is sufficient to ingest sign-in logs into Azure Sentinel. Additional per-gigabyte charges may apply for Azure Monitor (Log Analytics) and Azure Sentinel.
Your user must be assigned the Azure Sentinel Contributor role on the workspace.
Your user must be assigned the Global Administrator or Security Administrator roles on the tenant you want to stream the logs from.
Your user must have read and write permissions to the Azure AD diagnostic settings in order to be able to see the connection status.
Connect to Azure Active Directory
In Azure Sentinel, select Data connectors from the navigation menu.
From the data connectors gallery, select Azure Active Directory and then select Open connector page.
Mark the check boxes next to the log types you want to stream into Azure Sentinel, and click Connect. These are the log types you can choose from:
- Sign-in logs: Information about the usage of managed applications and user sign-in activities.
- Audit logs: System activity information about user and group management, managed applications, and directory activities.
- Non-interactive user sign-in logs: Information about sign-ins performed by a client on behalf of a user, which don't require any interaction or authentication factor from the user.
- Service principal sign-in logs: Information about sign-ins by apps and service principals that do not involve any user. In these sign-ins, the app or service provides a credential on its own behalf to authenticate or access resources.
- Managed Identity sign-in logs: Sign-ins by Azure resources that have secrets managed by Azure.
- Provisioning logs: System activity information about users, groups, and roles provisioned by the Azure AD provisioning service.
Find your data
After a successful connection is established, the data appears in Logs, under the LogManagement section, in the following tables:
To query the Azure AD logs, enter the relevant table name at the top of the query window.
In this document, you learned how to connect Azure Active Directory to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel.