Send data to Microsoft Sentinel using the Microsoft Entra ID data connector
Microsoft Entra ID logs provide comprehensive information about users, applications, and networks accessing your Entra tenant. This article explains the types of logs you can collect using the Microsoft Entra ID data connector, how to enable the connector to send data to Microsoft Sentinel, and how to find your data in Microsoft Sentinel.
Microsoft Entra ID data connector data types
This table lists the logs you can send from Microsoft Entra ID to Microsoft Sentinel using the Microsoft Entra ID data connector. Sentinel stores these logs in the Log Analytics workspace linked to your Microsoft Sentinel workspace.
| Log type | Description | Log schema |
|---|---|---|
| Audit logs | System activity related to user and group management, managed applications, and directory activities. | AuditLogs |
| Sign-in logs | Interactive user sign-ins where a user provides an authentication factor. | SigninLogs |
| Non-interactive user sign-in logs (Preview) | Sign-ins performed by a client on behalf of a user without any interaction or authentication factor from the user. | AADNonInteractiveUserSignInLogs |
| Service principal sign-in logs (Preview) | Sign-ins by apps and service principals that don't involve any user. In these sign-ins, the app or service provides a credential on its own behalf to authenticate or access resources. | AADServicePrincipalSignInLogs |
| Managed Identity sign-in logs (Preview) | Sign-ins by Azure resources that have secrets managed by Azure. For more information, see What are managed identities for Azure resources?. | AADManagedIdentitySignInLogs |
| AD FS sign-in logs | Sign-ins performed through Active Directory Federation Services (AD FS). | ADFSSignInLogs |
| Enriched Office 365 audit logs | Security events related to Microsoft 365 apps. | EnrichedOffice365AuditLogs |
| Provisioning logs (Preview) | System activity information about users, groups, and roles provisioned by the Microsoft Entra provisioning service. | AADProvisioningLogs |
| Microsoft Graph activity logs | HTTP requests accessing your tenant’s resources through the Microsoft Graph API. | MicrosoftGraphActivityLogs |
| Network access traffic logs | Network access traffic and activities. | NetworkAccessTraffic |
| Remote network health logs | Insights into the health of remote networks. | RemoteNetworkHealthLogs |
| User risk events | User risk events generated by Microsoft Entra ID Protection. | AADUserRiskEvents |
| Risky users | Risky users logged by Microsoft Entra ID Protection. | AADRiskyUsers |
| Risky service principals | Information about service principals flagged as risky by Microsoft Entra ID Protection. | AADRiskyServicePrincipals |
| Service principal risk events | Risk detections associated with service principals logged by Microsoft Entra ID Protection. | AADServicePrincipalRiskEvents |
Important
Some of the available log types are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Note
For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.
Prerequisites
A Microsoft Entra ID P1 or P2 license is required to ingest sign-in logs into Microsoft Sentinel. Any Microsoft Entra ID license (Free/O365/P1 or P2) is sufficient to ingest the other log types. Other per-gigabyte charges might apply for Azure Monitor (Log Analytics) and Microsoft Sentinel.
Your user must be assigned the Microsoft Sentinel Contributor role on the workspace.
Your user must have the Security Administrator role on the tenant you want to stream the logs from, or the equivalent permissions.
Your user must have read and write permissions to the Microsoft Entra diagnostic settings in order to be able to see the connection status.
Enable the Microsoft Entra ID data connector
Search for and enable the Microsoft Entra ID connector as described in Enable a data connector.
Install the Microsoft Entra ID solution (optional)
Install the solution for Microsoft Entra ID from the Content Hub in Microsoft Sentinel to get prebuilt workbooks, analytics rules, playbooks, and more. For more information, see Discover and manage Microsoft Sentinel out-of-the-box content.
Next steps
In this document, you learned how to connect Microsoft Entra ID to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles:
- Learn how to get visibility into your data and potential threats.
- Get started detecting threats with Microsoft Sentinel.