This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 85%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Hi.
In february 2022 I set up Microsoft Senitel with Azure Active Directory and everything worked fine. All logs from the connector synced. In march it suddenly stopped working, now I only get AuditLogs. The only changes I have made is the change from E3 + Premium P1 -> Business Premium license. I have attempted to assign back a P1 license with no changes. The tenant have around 120 active users, so there is a lot of sign in activity.
Logs is enabled and the user I am logged into have global admin access.
PS C:\windows\system32> Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
UnifiedAuditLogIngestionEnabled : True
Need help to point me in the right directon here. I have also looked at this
https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory
You might try disconnecting and reconnecting. Also, you might try verifying the diagnostic setting manually:
Not showing anything here. I do not see a option to remove the connector and enable it again. I have attempted to remove and add sign in logs multiple times.
Hi @VegAas ,
You are correct when you say there isn't the option to remove the connector. This is a built in connector and "unchecking" logs is effectively removing it. When you check these boxes, such as Sign-In Logs and click Apply changes, this updates a diagnostic setting on the same Azure AD Tenant that Microsoft Sentinel resides in, providing you have the correct permissions to do so.
All the details to send the logs to Sentinel manually can be found in the link @Andrew Blumhardt shared howto-integrate-activity-logs-with-log-analytics. This method is also needed if you are setting the logs up across tenants, using Azure Lighthouse, as the built in connector doesn't support this. Though keep in mind, some features, such as UEBA do not support lighthouse and therefore you won't see factual information such as a users manager / location etc if the AD user resides in a different tenant.
Once you've done this and are sending data to Sentinel, the connector will show as enabled, as it is only monitoring the ingestion of data into the relevant table.
I assume all the connector is doing is setting the diagnostics to the same workspace. I cannot see my settings due to lab restrictions (not a GA). I would just set it manually if needed. This could also raise an error that could help in explaining the issue.