Connect Azure Active Directory (Azure AD) data to Microsoft Sentinel
Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.
For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.
You can use Microsoft Sentinel's built-in connector to collect data from Azure Active Directory and stream it into Microsoft Sentinel. The connector allows you to stream the following log types:
Sign-in logs, which contain information about interactive user sign-ins where a user provides an authentication factor.
The Azure AD connector now includes the following three additional categories of sign-in logs, all currently in PREVIEW:
Non-interactive user sign-in logs, which contain information about sign-ins performed by a client on behalf of a user without any interaction or authentication factor from the user.
Service principal sign-in logs, which contain information about sign-ins by apps and service principals that do not involve any user. In these sign-ins, the app or service provides a credential on its own behalf to authenticate or access resources.
Managed Identity sign-in logs, which contain information about sign-ins by Azure resources that have secrets managed by Azure. For more information, see What are managed identities for Azure resources?
Audit logs, which contain information about system activity relating to user and group management, managed applications, and directory activities.
Provisioning logs (also in PREVIEW), which contain system activity information about users, groups, and roles provisioned by the Azure AD provisioning service.
An Azure Active Directory P1 or P2 license is required to ingest sign-in logs into Microsoft Sentinel. Any Azure AD license (Free/O365/P1/P2) is sufficient to ingest the other log types. Additional per-gigabyte charges may apply for Azure Monitor (Log Analytics) and Microsoft Sentinel.
Your user must be assigned the Microsoft Sentinel Contributor role on the workspace.
Your user must have read and write permissions to the Azure AD diagnostic settings in order to be able to see the connection status.
Connect to Azure Active Directory
In Microsoft Sentinel, select Data connectors from the navigation menu.
From the data connectors gallery, select Azure Active Directory and then select Open connector page.
Mark the check boxes next to the log types you want to stream into Microsoft Sentinel (see above), and select Connect.
Find your data
After a successful connection is established, the data appears in Logs, under the LogManagement section, in the following tables:
To query the Azure AD logs, enter the relevant table name at the top of the query window.
In this document, you learned how to connect Azure Active Directory to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles:
- Learn how to get visibility into your data and potential threats.
- Get started detecting threats with Microsoft Sentinel.
Submit and view feedback for