Update connect-azure-active-directory.md

guywi-ms · guywi-ms · commit 9136f3b17c30 · 2025-03-17T10:37:23.000+02:00
diff --git a/articles/sentinel/connect-azure-active-directory.md b/articles/sentinel/connect-azure-active-directory.md
@@ -19,23 +19,23 @@ ms.author: guywild
 
 This table lists the logs you can send from Microsoft Entra ID to Microsoft Sentinel using the Microsoft Entra ID data connector. Sentinel stores these logs in the Log Analytics workspace linked to your Microsoft Sentinel workspace.
 
-| **Log type** | **Log description** | **Log schema** | **Supports Basic and Auxiliary plans?** |
-|--------------|-----------------------------------|----------------|----------------------------------------|
-| [**Audit logs**](../active-directory/reports-monitoring/concept-audit-logs.md) | System activity related to user and group management, managed applications, and directory activities. | [AuditLogs](/azure/azure-monitor/reference/tables/auditlogs) |  |
-| [**Sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md) | Interactive user sign-ins where a user provides an authentication factor. | [SigninLogs](/azure/azure-monitor/reference/tables/signinlogs) | ✅ |
-| [**Non-interactive user sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#non-interactive-user-sign-ins) | Sign-ins performed by a client on behalf of a user without any interaction or authentication factor from the user. | [AADNonInteractiveUserSignInLogs](/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs) | ✅ |
-| [**Service principal sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#service-principal-sign-ins) | Sign-ins by apps and service principals that don't involve any user. In these sign-ins, the app or service provides a credential on its own behalf to authenticate or access resources. | [AADServicePrincipalSignInLogs](/azure/azure-monitor/reference/tables/aadserviceprincipalsigninlogs) | ✅ |
-| [**Managed Identity sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#managed-identity-for-azure-resources-sign-ins) | Sign-ins by Azure resources that have secrets managed by Azure. For more information, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md). | [AADManagedIdentitySignInLogs](/azure/azure-monitor/reference/tables/aadmanagedidentitysigninlogs) | ✅ |
-| [**AD FS sign-in logs**](/entra/identity/monitoring-health/concept-usage-insights-report#ad-fs-application-activity) | Sign-ins performed through Active Directory Federation Services (AD FS). | [ADFSSignInLogs](/azure/azure-monitor/reference/tables/adfssigninlogs) | ✅ |
-| [**Enriched Office 365 audit logs**](/entra/global-secure-access/how-to-view-enriched-logs) | Security events related to Microsoft 365 apps. | [EnrichedOffice365AuditLogs](/azure/azure-monitor/reference/tables/enrichedmicrosoft365auditlogs) |  |
-| [**Provisioning logs**](../active-directory/reports-monitoring/concept-provisioning-logs.md) | System activity information about users, groups, and roles provisioned by the Microsoft Entra provisioning service. (**PREVIEW**) | [AADProvisioningLogs](/azure/azure-monitor/reference/tables/aadprovisioninglogs) |  |
-| [**Microsoft Graph activity logs**](/graph/microsoft-graph-activity-logs-overview) | HTTP requests accessing your tenant’s resources through the Microsoft Graph API. | [MicrosoftGraphActivityLogs](/azure/azure-monitor/reference/tables/microsoftgraphactivitylogs) | ✅ |
-| [**Network access traffic logs**](/entra/global-secure-access/how-to-view-traffic-logs) | Network access traffic and activities. | [NetworkAccessTraffic](/azure/azure-monitor/reference/tables/networkaccesstraffic) |  |
-| [**Remote network health logs**](/entra/global-secure-access/how-to-remote-network-health-logs?tabs=microsoft-entra-admin-center) | Insights into the health of remote networks. | [RemoteNetworkHealthLogs](/azure/azure-monitor/reference/tables/remotenetworkhealthlogs) |  |
-| [**User risk events**](/entra/id-protection/howto-identity-protection-investigate-risk?branch=main#risk-detections-report) | User risk events generated by Microsoft Entra ID Protection. | [AADUserRiskEvents](/azure/azure-monitor/reference/tables/aaduserriskevents) |  |
-| [**Risky users**](/entra/id-protection/howto-identity-protection-investigate-risk#risky-users-report) | Risky users logged by Microsoft Entra ID Protection. | [AADRiskyUsers](/azure/azure-monitor/reference/tables/aadriskyusers) |  |
-| [**Risky service principals**](/entra/id-protection/howto-identity-protection-investigate-risk?branch=main#risk-detections-report) | Information about service principals flagged as risky by Microsoft Entra ID Protection. | [AADRiskyServicePrincipals](/azure/azure-monitor/reference/tables/aadriskyserviceprincipals) |  |
-| [**Service principal risk events**](/entra/id-protection/howto-identity-protection-investigate-risk#risky-users-report) | Risk detections associated with service principals logged by Microsoft Entra ID Protection. | [AADServicePrincipalRiskEvents](/azure/azure-monitor/reference/tables/aadserviceprincipalriskevents) |  |
+| **Log type** | **Log description** | **Log schema** |
+|--------------|-----------------------------------|----------------|
+| [**Audit logs**](../active-directory/reports-monitoring/concept-audit-logs.md) | System activity related to user and group management, managed applications, and directory activities. | [AuditLogs](/azure/azure-monitor/reference/tables/auditlogs) |
+| [**Sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md) | Interactive user sign-ins where a user provides an authentication factor. | [SigninLogs](/azure/azure-monitor/reference/tables/signinlogs) |
+| [**Non-interactive user sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#non-interactive-user-sign-ins) | Sign-ins performed by a client on behalf of a user without any interaction or authentication factor from the user. | [AADNonInteractiveUserSignInLogs](/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs) |
+| [**Service principal sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#service-principal-sign-ins) | Sign-ins by apps and service principals that don't involve any user. In these sign-ins, the app or service provides a credential on its own behalf to authenticate or access resources. | [AADServicePrincipalSignInLogs](/azure/azure-monitor/reference/tables/aadserviceprincipalsigninlogs) |
+| [**Managed Identity sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#managed-identity-for-azure-resources-sign-ins) | Sign-ins by Azure resources that have secrets managed by Azure. For more information, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md). | [AADManagedIdentitySignInLogs](/azure/azure-monitor/reference/tables/aadmanagedidentitysigninlogs) |
+| [**AD FS sign-in logs**](/entra/identity/monitoring-health/concept-usage-insights-report#ad-fs-application-activity) | Sign-ins performed through Active Directory Federation Services (AD FS). | [ADFSSignInLogs](/azure/azure-monitor/reference/tables/adfssigninlogs) |
+| [**Enriched Office 365 audit logs**](/entra/global-secure-access/how-to-view-enriched-logs) | Security events related to Microsoft 365 apps. | [EnrichedOffice365AuditLogs](/azure/azure-monitor/reference/tables/enrichedmicrosoft365auditlogs) |
+| [**Provisioning logs**](../active-directory/reports-monitoring/concept-provisioning-logs.md) | System activity information about users, groups, and roles provisioned by the Microsoft Entra provisioning service. (**PREVIEW**) | [AADProvisioningLogs](/azure/azure-monitor/reference/tables/aadprovisioninglogs) |
+| [**Microsoft Graph activity logs**](/graph/microsoft-graph-activity-logs-overview) | HTTP requests accessing your tenant’s resources through the Microsoft Graph API. | [MicrosoftGraphActivityLogs](/azure/azure-monitor/reference/tables/microsoftgraphactivitylogs) |
+| [**Network access traffic logs**](/entra/global-secure-access/how-to-view-traffic-logs) | Network access traffic and activities. | [NetworkAccessTraffic](/azure/azure-monitor/reference/tables/networkaccesstraffic) |
+| [**Remote network health logs**](/entra/global-secure-access/how-to-remote-network-health-logs?tabs=microsoft-entra-admin-center) | Insights into the health of remote networks. | [RemoteNetworkHealthLogs](/azure/azure-monitor/reference/tables/remotenetworkhealthlogs) |
+| [**User risk events**](/entra/id-protection/howto-identity-protection-investigate-risk?branch=main#risk-detections-report) | User risk events generated by Microsoft Entra ID Protection. | [AADUserRiskEvents](/azure/azure-monitor/reference/tables/aaduserriskevents) |
+| [**Risky users**](/entra/id-protection/howto-identity-protection-investigate-risk#risky-users-report) | Risky users logged by Microsoft Entra ID Protection. | [AADRiskyUsers](/azure/azure-monitor/reference/tables/aadriskyusers) |
+| [**Risky service principals**](/entra/id-protection/howto-identity-protection-investigate-risk?branch=main#risk-detections-report) | Information about service principals flagged as risky by Microsoft Entra ID Protection. | [AADRiskyServicePrincipals](/azure/azure-monitor/reference/tables/aadriskyserviceprincipals) |
+| [**Service principal risk events**](/entra/id-protection/howto-identity-protection-investigate-risk#risky-users-report) | Risk detections associated with service principals logged by Microsoft Entra ID Protection. | [AADServicePrincipalRiskEvents](/azure/azure-monitor/reference/tables/aadserviceprincipalriskevents) |
 
 > [!IMPORTANT]
 > Some of the available log types are currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
