Integrate Microsoft Entra logs with Azure Monitor logs

Using diagnostic settings in Microsoft Entra ID, you can integrate logs with Azure Monitor so your sign-in activity and the audit trail of changes within your tenant can be analyzed along with other Azure data.

This article provides the steps to integrate Microsoft Entra logs with Azure Monitor.

Use the integration of Microsoft Entra activity logs and Azure Monitor to perform the following tasks:

  • Compare your Microsoft Entra sign-in logs against security logs published by Microsoft Defender for Cloud.
  • Troubleshoot performance bottlenecks on your application’s sign-in page by correlating application performance data from Azure Application Insights.
  • Analyze the Identity Protection risky users and risk detections logs to detect threats in your environment.
  • Identify sign-ins from applications still using the Active Directory Authentication Library (ADAL) for authentication. Learn about the ADAL end-of-support plan.

Note

Integrating Microsoft Entra logs with Azure Monitor automatically enables the Microsoft Entra data connector within Microsoft Sentinel.

Prerequisites

To use this feature, you need:

  • A Microsoft Entra ID P1 or P2 tenant.

  • At least the Security Administrator role in the Microsoft Entra tenant.

None

Create a Log Analytics workspace

A Log Analytics workspace allows you to collect data based on a variety or requirements, such as geographic location of the data, subscription boundaries, or access to resources. Learn how to create a Log Analytics workspace.

Looking for how to set up a Log Analytics workspace for Azure resources outside of Microsoft Entra ID? Check out the Collect and view resource logs for Azure Monitor article.

Send logs to Azure Monitor

Use the following steps to send logs from Microsoft Entra ID to Azure Monitor logs. Looking for how to set up Log Analytics workspace for Azure resources outside of Microsoft Entra ID? Check out the Collect and view resource logs for Azure Monitor article.

Tip

Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.

  2. Browse to Identity > Monitoring & health > Diagnostic settings. You can also select Export Settings from either the Audit Logs or Sign-ins page.

  3. Select + Add diagnostic setting to create a new integration or select Edit setting for an existing integration.

  4. Enter a Diagnostic setting name. If you're editing an existing integration, you can't change the name.

  5. Select the log categories that you want to stream.

  6. Under Destination Details select the Send to Log Analytics workspace check box.

  7. Select the appropriate Subscription and Log Analytics workspace from the menus.

  8. Select the Save button.

    Screenshot of the diagnostics settings with some destination details shown.

    If you don't see logs appearing in the selected destination after 15 minutes, sign out and back into Azure to refresh the logs.