Connect Microsoft Entra data to Microsoft Sentinel

Članek
10. 02. 2025

You can use Microsoft Sentinel's built-in connector to collect data from Microsoft Entra ID and stream it into Microsoft Sentinel. The connector allows you to stream the following log types:

Sign-in logs, which contain information about interactive user sign-ins where a user provides an authentication factor.

The Microsoft Entra connector now includes the following three additional categories of sign-in logs, all currently in PREVIEW:
- Non-interactive user sign-in logs, which contain information about sign-ins performed by a client on behalf of a user without any interaction or authentication factor from the user.
- Service principal sign-in logs, which contain information about sign-ins by apps and service principals that don't involve any user. In these sign-ins, the app or service provides a credential on its own behalf to authenticate or access resources.
- Managed Identity sign-in logs, which contain information about sign-ins by Azure resources that have secrets managed by Azure. For more information, see What are managed identities for Azure resources?
Audit logs, which contain information about system activity relating to user and group management, managed applications, and directory activities.
Provisioning logs (also in PREVIEW), which contain system activity information about users, groups, and roles provisioned by the Microsoft Entra provisioning service.
Microsoft Graph activity logs, which contain information about HTTP requests accessing your tenant’s resources through the Microsoft Graph API.

Pomembno

Some of the available log types are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Opomba

For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.

Prerequisites

A Microsoft Entra ID P1 or P2 license is required to ingest sign-in logs into Microsoft Sentinel. Any Microsoft Entra ID license (Free/O365/P1 or P2) is sufficient to ingest the other log types. Other per-gigabyte charges may apply for Azure Monitor (Log Analytics) and Microsoft Sentinel.
Your user must be assigned the Microsoft Sentinel Contributor role on the workspace.
Your user must have the Security Administrator role on the tenant you want to stream the logs from, or the equivalent permissions.
Your user must have read and write permissions to the Microsoft Entra diagnostic settings in order to be able to see the connection status.
Install the solution for Microsoft Entra ID from the Content Hub in Microsoft Sentinel. For more information, see Discover and manage Microsoft Sentinel out-of-the-box content.

Connect to Microsoft Entra ID

In Microsoft Sentinel, select Data connectors from the navigation menu.
From the data connectors gallery, select Microsoft Entra ID and then select Open connector page.
Mark the check boxes next to the log types you want to stream into Microsoft Sentinel, and select Connect.

Find your data

After a successful connection is established, the data appears in Logs, under the LogManagement section, in the following tables:

SigninLogs
AuditLogs
AADNonInteractiveUserSignInLogs
AADServicePrincipalSignInLogs
AADManagedIdentitySignInLogs
AADProvisioningLogs
MSGraphActivityLogs

To query the Microsoft Entra logs, enter the relevant table name at the top of the query window.

If an expected table is not available, verify the log categories are selected for your Microsoft Sentinel workspace in Microsoft Entra diagnostic settings. For more informatoin, see Configure Microsoft Entra diagnostic settings for activity logs.

Next steps

In this document, you learned how to connect Microsoft Entra ID to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles:

Learn how to get visibility into your data and potential threats.
Get started detecting threats with Microsoft Sentinel.

Dodatni viri

Dokumentacija

Conector de Microsoft Entra ID para Microsoft Sentinel

Aprenda a instalar el conector de Microsoft Entra ID para conectar el origen de datos a Microsoft Sentinel.
Auditoría de consultas y actividades de Microsoft Sentinel

En este artículo se describe cómo auditar las consultas y actividades realizadas en Microsoft Sentinel.
Conector de Protección de id. de Microsoft Entra para Microsoft Sentinel

Vea cómo instalar el conector de Protección de id. de Microsoft Entra para conectar su origen de datos a Microsoft Sentinel.
Roles y permisos en Microsoft Sentinel

Obtenga información sobre cómo Microsoft Sentinel asigna permisos a los usuarios mediante el control de acceso basado en roles de Azure e identifica las acciones permitidas para cada rol.
Creación de reglas de análisis programadas en Microsoft Sentinel

En este artículo se explica cómo ver y crear reglas de análisis programadas en Microsoft Sentinel.
Administración del ciclo de vida completo de las soluciones en desuso en Microsoft Sentinel

Este artículo le guía por el proceso de identificación de soluciones en desuso en Microsoft Sentinel y la administración del ciclo de vida de estas soluciones.
Límites de servicio de Microsoft Sentinel

En este artículo se proporciona una lista de límites de servicio para Microsoft Sentinel.
Creación de incidentes a partir de alertas en Microsoft Sentinel

Aprenda a crear incidentes a partir de alertas en Microsoft Sentinel.

Usposabljanje

Modul

Conexión de servicios Microsoft a Microsoft Sentinel - Training

Conexión de servicios Microsoft a Microsoft Sentinel

Potrdilo

Microsoft Certified: Identity and Access Administrator Associate - Certifications

Muestre las características de Microsoft Entra ID para modernizar las soluciones de identidad, implementar soluciones híbridas e implementar la gobernanza de identidades.

Deli z drugimi prek