Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,560 questions
Activity Directory Sign-In logs won't send to Event Hub
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 95%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
Matthew B
1
Reputation point
Hi
I've selected the following events in Active Directory Sign-In logs to send to an event hub
AuditLogs
SignInLogs
In order to export Sign-in data, your organization needs Azure AD P1 or P2 license. If you don't have a P1 or P2, start a free trial.
NonInteractiveUserSignInLogs
ServicePrincipalSignInLogs
ManagedIdentitySignInLogs
ProvisioningLogs
ADFSSignInLogs
RiskyUsers
UserRiskEvents
The correct event hub and subscription are selected.
However when I go to the event hub with the same name, none of the events are displayed. Even with most filters removed.
How do we get the signin events into the event hub so we can ship them off to our SIEM?
Thanks,
Matthew
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 0%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee2021-11-09T12:03:07.273+00:00 @Matthew B How much time has elapsed since you enabled this event hub export ? It is not instant and might take upto 24 hours and even more depending on certain logs.
-
VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee
2021-11-11T04:16:50.553+00:00 @Matthew B Checking if you are still not able to see the logs and how much time has been elapsed.
Sign in to comment