Integrate Microsoft Entra logs with Azure Monitor logs
Using diagnostic settings in Microsoft Entra ID, you can integrate logs with Azure Monitor so your sign-in activity and the audit trail of changes within your tenant can be analyzed along with other Azure data.
This article provides the steps to integrate Microsoft Entra logs with Azure Monitor.
Use the integration of Microsoft Entra activity logs and Azure Monitor to perform the following tasks:
- Compare your Microsoft Entra sign-in logs against security logs published by Microsoft Defender for Cloud.
- Troubleshoot performance bottlenecks on your application’s sign-in page by correlating application performance data from Azure Application Insights.
- Analyze the Identity Protection risky users and risk detections logs to detect threats in your environment.
- Identify sign-ins from applications still using the Active Directory Authentication Library (ADAL) for authentication. Learn about the ADAL end-of-support plan.
Integrating Microsoft Entra logs with Azure Monitor automatically enables the Microsoft Entra data connector within Microsoft Sentinel.
To use this feature, you need:
- An Azure subscription. If you don't have an Azure subscription, you can sign up for a free trial.
- A Microsoft Entra ID P1 or P2 tenant.
- Global Administrator or Security Administrator access for the Microsoft Entra tenant.
- A Log Analytics workspace in your Azure subscription. Learn how to create a Log Analytics workspace.
- Permission to access data in a Log Analytics workspace. See Manage access to log data and workspaces in Azure Monitor for information on the different permission options and how to configure permissions.
Create a Log Analytics workspace
A Log Analytics workspace allows you to collect data based on a variety or requirements, such as geographic location of the data, subscription boundaries, or access to resources. Learn how to create a Log Analytics workspace.
Looking for how to set up a Log Analytics workspace for Azure resources outside of Microsoft Entra ID? Check out the Collect and view resource logs for Azure Monitor article.
Send logs to Azure Monitor
Use the following steps to send logs from Microsoft Entra ID to Azure Monitor logs. Looking for how to set up Log Analytics workspace for Azure resources outside of Microsoft Entra ID? Check out the Collect and view resource logs for Azure Monitor article.
Steps in this article might vary slightly based on the portal you start from.
Browse to Identity > Monitoring & health > Diagnostic settings. You can also select Export Settings from either the Audit Logs or Sign-ins page.
Select + Add diagnostic setting to create a new integration or select Edit setting for an existing integration.
Enter a Diagnostic setting name. If you're editing an existing integration, you can't change the name.
Select the log categories that you want to stream.
Under Destination Details select the Send to Log Analytics workspace check box.
Select the appropriate Subscription and Log Analytics workspace from the menus.
Select the Save button.
If you don't see logs appearing in the selected destination after 15 minutes, sign out and back into Azure to refresh the logs.