Microsoft Teams  

Connect Entra ID Logs to Microsoft Sentinal

Introduction

In today's cloud-centric security landscape, Microsoft Entra ID serves as the backbone for identity and access management in Microsoft ecosystems.

It tracks critical events like user sign-ins, audits, and provisioning activities that are essential for detecting threats such as unauthorized access or risky behaviors. Microsoft Sentinel, Microsoft's cloud-native SIEM and SOAR solution, empowers security teams to ingest, analyze, and respond to these events at scale.

Connecting Entra ID logs to Sentinel unlocks powerful capabilities: real-time threat detection, automated incident response, and enriched investigations using Kusto Query Language (KQL). This integration streams diagnostic data directly into Sentinel's Log Analytics workspace, enabling you to build analytics rules, workbooks, and playbooks tailored to identity-based attacks. Whether you're hunting for anomalous sign-ins or monitoring service principal risks, this setup is a must for modern SecOps.

Prerequisites

Licensing

  • Microsoft Entra ID P1 or P2 license for sign-in logs (Free or O365 suffices for audit and provisioning logs).

  • Microsoft Entra Workload ID Premium for advanced risk logs like AADRiskyServicePrincipals and AADServicePrincipalRiskEvents.

Note: per-GB ingestion costs in Azure Monitor and Sentinel.

Permissions and Roles

  • Microsoft Sentinel Contributor role on the target Log Analytics workspace.

  • Security Administrator role (or equivalent) on the Entra ID tenant.

  • Read/write access to Entra ID diagnostic settings.

Steps to create a Log Analytics Workspace and add to Sentinel

  1. Create a Resource Group

  2. Create a Log Analytics Workspace

zxc

  1. Go to Microsoft Sentinel and assign the created Workspace

xcv

The Microsoft Entra ID solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID Audit, Sign-in, Provisioning, Risk Events, and Risky User/Service Principal logs using Diagnostic Settings into Microsoft Sentinel.

Steps to Connect Entra Logs to Sentinel

  1. Go to Sentinel Workspace --> Content Hub

cvb

  1. Search for Microsoft Entra ID

vbn

  1. Click Install

bnmasdsdf

  1. Fulfill all prerequisites

dfg

  1. Select all log types that need to be injected to Sentinel

fgh

Check Entra Logs in Microsoft Sentinel

  1. In Sentinel, go to Logs.

  2. Run a KQL query

Ex

SigninLogs

| take 10

| project TimeGenerated, UserPrincipalName, AppDisplayName, ResultType

ghj

Troubleshooting Common Issues

  • No Data Ingested: Double-check licenses (e.g., P1 for sign-ins) and permissions. Ensure the workspace is correctly linked.

  • Access Errors: Reassign Security Administrator role—it's non-delegable.

  • High Costs: Monitor ingestion via Azure Monitor > Logs and optimize by deselecting unused log types.

  • Preview Logs Missing: Confirm your subscription supports previews; contact Microsoft support if needed. 

Membership not found