Exchange Security Insights Online Collector (using Azure Functions) connector for Microsoft Sentinel

Connector used to push Exchange Online Security configuration for Microsoft Sentinel Analysis

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute Description
Log Analytics table(s) ESIExchangeOnlineConfig_CL
Data collection rules support Not currently supported
Supported by Community

Query samples

View how many Configuration entries exist on the table

| summarize by GenerationInstanceID_g, EntryDate_s, ESIEnvironment_s


To integrate with Exchange Security Insights Online Collector (using Azure Functions) make sure you have:

Vendor installation instructions



This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : ExchangeConfiguration and ExchangeEnvironmentList

STEP 1 - Parsers deployment


This connector uses Azure Automation to connect to 'Exchange Online' to pull its Security analysis into Microsoft Sentinel. This might result in additional data ingestion costs. Check the Azure Automation pricing page for details.

STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Automation

IMPORTANT: Before deploying the 'ESI Exchange Online Security Configuration' connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Exchange Online tenant name (, readily available.

Option 1 - Azure Resource Manager (ARM) Template

Use this method for automated deployment of the 'ESI Exchange Online Security Configuration' connector.

  1. Click the Deploy to Azure button below.

    Deploy To Azure

  2. Select the preferred Subscription, Resource Group and Location.

  3. Enter the Workspace ID, Workspace Key, Tenant Name, 'and/or Other required fields'.

  1. Mark the checkbox labeled I agree to the terms and conditions stated above. 5. Click Purchase to deploy.

Option 2 - Manual Deployment of Azure Automation

Use the following step-by-step instructions to deploy the 'ESI Exchange Online Security Configuration' connector manually with Azure Automation.

STEP 3 - Assign Microsoft Graph Permission and Exchange Online Permission to Managed Identity Account

To be able to collect Exchange Online information and to be able to retrieve User information and memberlist of admin groups, the automation account need multiple permission.

Next steps

For more information, go to the related solution in the Azure Marketplace.