Connect data from Azure AD Identity Protection
You can stream logs from Azure AD Identity Protection into Azure Sentinel to stream alerts into Azure Sentinel to view dashboards, create custom alerts, and improve investigation. Azure Active Directory Identity Protection provides a consolidated view at risk users, risk detections and vulnerabilities, with the ability to remediate risk immediately, and set policies to auto-remediate future events. The service is built on Microsoft’s experience protecting consumer identities and gains tremendous accuracy from the signal from over 13 billion log-ins a day.
- You must have an Azure Active Directory Premium P1 or P2 license
- User with global administrator or security administrator permissions
Connect to Azure AD Identity Protection
If you already have Azure AD Identity Protection, make sure it is enabled on your network. If Azure AD Identity Protection is deployed and getting data, the alert data can easily be streamed into Azure Sentinel.
In Azure Sentinel, select Data connectors and then click the Azure AD Identity Protection tile.
Click Connect to start streaming Azure AD Identity Protection events into Azure Sentinel.
To use the relevant schema in Log Analytics for the Azure AD Identity Protection alerts, search for IdentityProtectionLogs_CL.
In this document, you learned how to connect Azure AD Identity Protection to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel.