Exercise connect data from Azure Active Directory to Azure Sentinel
Any Azure AD license (Free/O365/P1/P2) is sufficient to ingest sign-in logs into Azure Sentinel. Additional per-gigabyte charges may apply for Azure Monitor (Log Analytics) and Azure Sentinel.
Your user must be assigned the Azure Sentinel Contributor role on the workspace.
Your user must be assigned the Global Administrator or Security Administrator roles on the tenant you want to stream the logs from.
Your user must have read and write permissions to the Azure AD diagnostic settings to be able to see the connection status.
Create and add an Azure Sentinel workspace
Use these instructions if you do not already have a workspace available to Azure Sentinel.
Sign in to the Azure portal as a tenant administrator.
Search for and select Azure Sentinel.
In the Azure Sentinel workspaces blade, on the menu, select + Add.
If you already have an Azure Sentinel workspace, you can select that and continue to the next task.
In the Add Azure Sentinel to a workspace blade, select Create a new workspace.
Use the following information to create a new log analytics workspace:
Setting Value Subscription Use your current subscription. Resource group Use an existing resource group or create a new one. Name
- The workspace must be a globally unique value.
Pricing tier Pay-as-you-go
When complete, select your new workspace and then select Add to add the workspace to Azure Sentinel.
Connect to Azure Active Directory
In Azure Sentinel, in the navigation menu on the left, under Configuration, select Data connectors.
In the Data connectors list, select Azure Active Directory and then select Open connector page.
Under Configuration, select the Azure Active Directory Sign-in logs and Audit logs checkboxes and then select Apply changes.
Close the Azure Active Directory connector page.