Merge pull request #296394 from guywi-ms/entra-id-connector-updates

v-ccolin · web-flow · commit 1f9749336151 · 2025-03-26T08:44:29.000Z
Update connect-azure-active-directory.md
diff --git a/articles/sentinel/configure-data-connector.md b/articles/sentinel/configure-data-connector.md
@@ -50,6 +50,8 @@ After you or someone in your organization installs the solution that includes th
 
    :::image type="content" source="media/configure-data-connector/open-connector-page-option-defender-portal.png" alt-text="Screenshot of data connector details page in the Defender portal.":::
 
+   ---
+
 1. Review the **Prerequisites**. To configure the data connector, fulfill all the prerequisites.
 1. Follow the steps outlined in the **Configurations** section.
   
@@ -61,6 +63,22 @@ After you or someone in your organization installs the solution that includes th
 
    :::image type="content" source="media/configure-data-connector/connected-data-connector.png" alt-text="Screenshot of a data connector page with status connected and graph that shows the data received.":::
 
+## Find your data
+
+After you enable the connector successfully, the connector begins to stream data to the table schemas related to the data types you configurated.
+
+To view the data:
+
+   #### [Azure portal](#tab/azure-portal-1)
+
+   Query the tables in the Microsoft Sentinel workspace linked to your Microsoft Sentinel workspace.
+
+   #### [Defender portal](#tab/defender-portal-1)
+   
+   See [Where to find your Microsoft Sentinel data in Microsoft Defender portal](/defender-xdr/advanced-hunting-microsoft-defender#where-to-find-your-microsoft-sentinel-data).
+
+   ---
+
 ## Find support for a data connector
 
 Both Microsoft and other organizations author Microsoft Sentinel data connectors. Find the support contact from data connector page in Microsoft Sentinel.
diff --git a/articles/sentinel/connect-azure-active-directory.md b/articles/sentinel/connect-azure-active-directory.md
@@ -1,34 +1,41 @@
 ---
-title: Connect Microsoft Entra data to Microsoft Sentinel | Microsoft Docs
+title: Send Microsoft Entra ID data to Microsoft Sentinel
 description: Learn how to collect data from Microsoft Entra ID, and stream Microsoft Entra sign-in, audit, and provisioning logs into Microsoft Sentinel.
-author: yelevin
+author: guywi-ms
 ms.topic: how-to
-ms.date: 05/13/2024
-ms.author: yelevin
+ms.date: 03/16/2025
+ms.author: guywild
 
 
 #Customer intent: As a security engineer, I want to stream Microsoft Entra logs into Microsoft Sentinel so that analysts can monitor and analyze sign-in activities, audit logs, and provisioning logs for enhanced security and threat detection.
 
 ---
 
-# Connect Microsoft Entra data to Microsoft Sentinel
+# Send data to Microsoft Sentinel using the Microsoft Entra ID data connector
 
-You can use Microsoft Sentinel's built-in connector to collect data from [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) and stream it into Microsoft Sentinel. The connector allows you to stream the following log types:
+[Microsoft Entra ID](/entra/fundamentals/what-is-entra) logs provide comprehensive information about users, applications, and networks accessing your Entra tenant. This article explains the types of logs you can collect using the Microsoft Entra ID data connector, how to enable the connector to send data to Microsoft Sentinel, and how to find your data in Microsoft Sentinel.
 
-- [**Sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md), which contain information about interactive user sign-ins where a user provides an authentication factor.
+## Microsoft Entra ID data connector data types
 
-    The Microsoft Entra connector now includes the following three additional categories of sign-in logs, all currently in **PREVIEW**:
-    
-    - [**Non-interactive user sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#non-interactive-user-sign-ins), which contain information about sign-ins performed by a client on behalf of a user without any interaction or authentication factor from the user.
-    
-    - [**Service principal sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#service-principal-sign-ins), which contain information about sign-ins by apps and service principals that don't involve any user. In these sign-ins, the app or service provides a credential on its own behalf to authenticate or access resources.
-    
-    - [**Managed Identity sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#managed-identity-for-azure-resources-sign-ins), which contain information about sign-ins by Azure resources that have secrets managed by Azure. For more information, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md)
+This table lists the logs you can send from Microsoft Entra ID to Microsoft Sentinel using the Microsoft Entra ID data connector. Sentinel stores these logs in the Log Analytics workspace linked to your Microsoft Sentinel workspace.
 
-- [**Audit logs**](../active-directory/reports-monitoring/concept-audit-logs.md), which contain information about system activity relating to user and group management, managed applications, and directory activities.
-
-- [**Provisioning logs**](../active-directory/reports-monitoring/concept-provisioning-logs.md) (also in **PREVIEW**), which contain system activity information about users, groups, and roles provisioned by the Microsoft Entra provisioning service. 
-- [**Microsoft Graph activity logs**](/graph/microsoft-graph-activity-logs-overview), which contain information about HTTP requests accessing your tenant’s resources through the Microsoft Graph API.
+| **Log type** | **Description** | **Log schema** |
+|--------------|-----------------------------------|----------------|
+| [**Audit logs**](../active-directory/reports-monitoring/concept-audit-logs.md) | System activity related to user and group management, managed applications, and directory activities. | [AuditLogs](/azure/azure-monitor/reference/tables/auditlogs) |
+| [**Sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md) | Interactive user sign-ins where a user provides an authentication factor. | [SigninLogs](/azure/azure-monitor/reference/tables/signinlogs) |
+| [**Non-interactive user sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#non-interactive-user-sign-ins) (**Preview**)  | Sign-ins performed by a client on behalf of a user without any interaction or authentication factor from the user. | [AADNonInteractiveUserSignInLogs](/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs) |
+| [**Service principal sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#service-principal-sign-ins) (**Preview**) | Sign-ins by apps and service principals that don't involve any user. In these sign-ins, the app or service provides a credential on its own behalf to authenticate or access resources. | [AADServicePrincipalSignInLogs](/azure/azure-monitor/reference/tables/aadserviceprincipalsigninlogs) |
+| [**Managed Identity sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#managed-identity-for-azure-resources-sign-ins) (**Preview**) | Sign-ins by Azure resources that have secrets managed by Azure. For more information, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md). | [AADManagedIdentitySignInLogs](/azure/azure-monitor/reference/tables/aadmanagedidentitysigninlogs) |
+| [**AD FS sign-in logs**](/entra/identity/monitoring-health/concept-usage-insights-report#ad-fs-application-activity) | Sign-ins performed through Active Directory Federation Services (AD FS). | [ADFSSignInLogs](/azure/azure-monitor/reference/tables/adfssigninlogs) |
+| [**Enriched Office 365 audit logs**](/entra/global-secure-access/how-to-view-enriched-logs) | Security events related to Microsoft 365 apps. | [EnrichedOffice365AuditLogs](/azure/azure-monitor/reference/tables/enrichedmicrosoft365auditlogs) |
+| [**Provisioning logs**](../active-directory/reports-monitoring/concept-provisioning-logs.md) (**Preview**)  | System activity information about users, groups, and roles provisioned by the Microsoft Entra provisioning service. | [AADProvisioningLogs](/azure/azure-monitor/reference/tables/aadprovisioninglogs) |
+| [**Microsoft Graph activity logs**](/graph/microsoft-graph-activity-logs-overview)| HTTP requests accessing your tenant’s resources through the Microsoft Graph API. | [MicrosoftGraphActivityLogs](/azure/azure-monitor/reference/tables/microsoftgraphactivitylogs) |
+| [**Network access traffic logs**](/entra/global-secure-access/how-to-view-traffic-logs) | Network access traffic and activities. | [NetworkAccessTraffic](/azure/azure-monitor/reference/tables/networkaccesstraffic) |
+| [**Remote network health logs**](/entra/global-secure-access/how-to-remote-network-health-logs?tabs=microsoft-entra-admin-center) | Insights into the health of remote networks. | [RemoteNetworkHealthLogs](/azure/azure-monitor/reference/tables/remotenetworkhealthlogs) |
+| [**User risk events**](/entra/id-protection/howto-identity-protection-investigate-risk?branch=main#risk-detections-report) | User risk events generated by Microsoft Entra ID Protection. | [AADUserRiskEvents](/azure/azure-monitor/reference/tables/aaduserriskevents) |
+| [**Risky users**](/entra/id-protection/howto-identity-protection-investigate-risk#risky-users-rport) | Risky users logged by Microsoft Entra ID Protection. | [AADRiskyUsers](/azure/azure-monitor/reference/tables/aadriskyusers) |
+| [**Risky service principals**](/entra/id-protection/howto-identity-protection-investigate-risk?branh=main#risk-detections-report) | Information about service principals flagged as risky by Microsoft Entra ID Protection. | [AADRiskyServicePrincipals](/azure/azure-monitor/reference/tables/aadriskyserviceprincipals) |
+| [**Service principal risk events**](/entra/id-protection/howto-identity-protection-investigate-risk#risy-users-report) | Risk detections associated with service principals logged by Microsoft Entra ID Protection. | [AADServicePrincipalRiskEvents](/azure/azure-monitor/reference/tables/aadserviceprincipalriskevents) |
 
 > [!IMPORTANT]
 > Some of the available log types are currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
@@ -37,40 +44,23 @@ You can use Microsoft Sentinel's built-in connector to collect data from [Micros
 
 ## Prerequisites
 
-- A Microsoft Entra ID P1 or P2 license is required to ingest sign-in logs into Microsoft Sentinel. Any Microsoft Entra ID license (Free/O365/P1 or P2) is sufficient to ingest the other log types. Other per-gigabyte charges may apply for Azure Monitor (Log Analytics) and Microsoft Sentinel.
+- A Microsoft Entra ID P1 or P2 license is required to ingest sign-in logs into Microsoft Sentinel. Any Microsoft Entra ID license (Free/O365/P1 or P2) is sufficient to ingest the other log types. Other per-gigabyte charges might apply for Azure Monitor (Log Analytics) and Microsoft Sentinel.
 
 - Your user must be assigned the [Microsoft Sentinel Contributor](../role-based-access-control/built-in-roles.md#microsoft-sentinel-contributor) role on the workspace.
 
 - Your user must have the [Security Administrator](../active-directory/roles/permissions-reference.md#security-administrator) role on the tenant you want to stream the logs from, or the equivalent permissions.
 
 - Your user must have read and write permissions to the Microsoft Entra diagnostic settings in order to be able to see the connection status.
-- Install the solution for **Microsoft Entra ID** from the **Content Hub** in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).
 
 <a name='connect-to-azure-active-directory'></a>
 
-## Connect to Microsoft Entra ID
-
-1. In Microsoft Sentinel, select **Data connectors** from the navigation menu.
-
-1. From the data connectors gallery, select **Microsoft Entra ID** and then select **Open connector page**.
-
-1. Mark the check boxes next to the log types you want to stream into Microsoft Sentinel, and select **Connect**.
-
-## Find your data
-
-After a successful connection is established, the data appears in **Logs**, under the **LogManagement** section, in the following tables:
+## Enable the Microsoft Entra ID data connector
 
-- `SigninLogs`
-- `AuditLogs`
-- `AADNonInteractiveUserSignInLogs`
-- `AADServicePrincipalSignInLogs`
-- `AADManagedIdentitySignInLogs`
-- `AADProvisioningLogs`
-- `MSGraphActivityLogs`
+Search for and enable the **Microsoft Entra ID** connector as described in [Enable a data connector](configure-data-connector.md#enable-a-data-connector).
 
-To query the Microsoft Entra logs, enter the relevant table name at the top of the query window.
+## Install the Microsoft Entra ID solution (optional)
 
-If an expected table is not available, verify the log categories are selected for your Microsoft Sentinel workspace in Microsoft Entra diagnostic settings. For more informatoin, see [Configure Microsoft Entra diagnostic settings for activity logs](/entra/identity/monitoring-health/howto-configure-diagnostic-settings).
+Install the solution for **Microsoft Entra ID** from the **Content Hub** in Microsoft Sentinel to get prebuilt workbooks, analytics rules, playbooks, and more. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).
 
 ## Next steps
 In this document, you learned how to connect Microsoft Entra ID to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles:
