Share via

Guidance on architecture, supported data ingestion methods, and recommended Azure services to create a consolidated multi-service dashboard.

Pankaj Kumar Tiwari 0 Reputation points
2025-11-26T17:56:13.5533333+00:00

I want to build a single unified dashboard that displays metrics from Intune, Defender, M365, Sentinel, and Entra ID. I also need advice on the best approach to fetch data from these services and store it in Log Analytics Workspace (LAW). Additionally, I want to understand if Azure Workbooks or any other Azure service supports integrating external data sources (AWS, GCP, or custom APIs) into the same dashboard.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Adam Zachary 2,025 Reputation points
    2025-11-26T21:09:27.57+00:00

    I’ve built this type of consolidated security dashboard a few times, combining Intune, Defender, M365, Sentinel, and Entra signals into one place. The core idea is always the same: pull everything into a single Log Analytics Workspace, then build your dashboards on top of it.

    Here’s the simplest and most reliable architecture:

    1. Use Microsoft Graph for anything that doesn’t have native Sentinel connectors. Intune, Entra ID, and some Defender datasets only expose the deeper metrics through Graph.

    I usually run scheduled jobs in: Azure Functions / Logic Apps or an Automation Account to pull the data and write it into a custom table in Log Analytics.

    2. Use the built-in Sentinel connectors wherever possible. Defender for Endpoint, Defender for Office 365, Defender for Identity, and the M365 security logs already have connectors that stream straight into Sentinel and LAW without extra work.

    3. For external data sources (AWS, GCP, custom APIs), Azure Workbooks can read from multiple sources. Workbooks can combine: Log Analytics - Azure Resource Graph - Azure Monitor Metrics - Custom REST APIs (via parameters) - External JSON endpoints So yes, you can bring AWS, GCP, or any API into the same dashboard as long as you expose it in a consumable way.

    4. Store everything in a central LA. This makes the KQL layer clean and lets you build one unified workbook on top of all services.

    Typical setup that works well: Sentinel + LA Workspace as the data platform + Graph-based ingestion for Entra, Intune, and any gaps in the Defender stack with native connectors for Defender and M365 - A workbook or Power BI dashboard on top for visualization.

    Optional Event Hub if you need to stage external logs before writing to LAW

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.