Update connect-azure-active-directory.md

guywi-ms · guywi-ms · commit 9939949ec4e7 · 2025-03-17T10:25:24.000+02:00
diff --git a/articles/sentinel/connect-azure-active-directory.md b/articles/sentinel/connect-azure-active-directory.md
@@ -17,25 +17,25 @@ ms.author: guywild
 
 ## Microsoft Entra ID data connector data types
 
-This table lists the log you can send from Microsoft Entra ID to Microsoft Sentinel using the Microsoft Entra ID data connector. Sentinel stores these logs in the Log Analytics workspace linked to your Microsoft Sentinel workspace.
-
-| **Log type** | **Information contained in logs** | **Log schema** |
-|--------------|-----------------------------------|----------------|
-| [**Audit logs**](../active-directory/reports-monitoring/concept-audit-logs.md) | System activity related to user and group management, managed applications, and directory activities. | [AuditLogs](/azure/azure-monitor/reference/tables/auditlogs) |
-| [**Sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md) | Interactive user sign-ins where a user provides an authentication factor. | [SigninLogs](/azure/azure-monitor/reference/tables/signinlogs) |
-| [**Non-interactive user sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#non-interactive-user-sign-ins) | Sign-ins performed by a client on behalf of a user without any interaction or authentication factor from the user. | [AADNonInteractiveUserSignInLogs](/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs) |
-| [**Service principal sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#service-principal-sign-ins) | Sign-ins by apps and service principals that don't involve any user. In these sign-ins, the app or service provides a credential on its own behalf to authenticate or access resources. | [AADServicePrincipalSignInLogs](/azure/azure-monitor/reference/tables/aadserviceprincipalsigninlogs) |
-| [**Managed Identity sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#managed-identity-for-azure-resources-sign-ins) | Sign-ins by Azure resources that have secrets managed by Azure. For more information, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md). | [AADManagedIdentitySignInLogs](/azure/azure-monitor/reference/tables/aadmanagedidentitysigninlogs) |
-| [**AD FS sign-in logs**](/entra/identity/monitoring-health/concept-usage-insights-report#ad-fs-application-activity) | Sign-ins performed through Active Directory Federation Services (AD FS). | [ADFSSignInLogs](/azure/azure-monitor/reference/tables/adfssigninlogs) |
-| [**Enriched Office 365 audit logs**](/entra/global-secure-access/how-to-view-enriched-logs) | Security events related to Microsoft 365 apps. | [EnrichedOffice365AuditLogs](/azure/azure-monitor/reference/tables/enrichedmicrosoft365auditlogs) |
-| [**Provisioning logs**](../active-directory/reports-monitoring/concept-provisioning-logs.md) | System activity information about users, groups, and roles provisioned by the Microsoft Entra provisioning service. (**PREVIEW**) | [AADProvisioningLogs](/azure/azure-monitor/reference/tables/aadprovisioninglogs) |
-| [**Microsoft Graph activity logs**](/graph/microsoft-graph-activity-logs-overview) | HTTP requests accessing your tenant’s resources through the Microsoft Graph API. | [MicrosoftGraphActivityLogs](/azure/azure-monitor/reference/tables/microsoftgraphactivitylogs) |
-| [**Network access traffic logs**](/entra/global-secure-access/how-to-view-traffic-logs) | Network access traffic and activities. | [NetworkAccessTraffic](/azure/azure-monitor/reference/tables/networkaccesstraffic) |
-| [**Remote network health logs**](/entra/global-secure-access/how-to-remote-network-health-logs?tabs=microsoft-entra-admin-center) | Insights into the health of remote networks. | [RemoteNetworkHealthLogs](/azure/azure-monitor/reference/tables/remotenetworkhealthlogs) |
-| [**User risk events**](/entra/id-protection/howto-identity-protection-investigate-risk?branch=main#risk-detections-report) | User risk events generated by Microsoft Entra ID Protection. | [AADUserRiskEvents](/azure/azure-monitor/reference/tables/aaduserriskevents) |
-| [**Risky users**](/entra/id-protection/howto-identity-protection-investigate-risk#risky-users-report) | Risky users logged by Microsoft Entra ID Protection. | [AADRiskyUsers](/azure/azure-monitor/reference/tables/aadriskyusers) |
-| [**Risky service principals**](/entra/id-protection/howto-identity-protection-investigate-risk?branch=main#risk-detections-report) | Information about service principals flagged as risky by Microsoft Entra ID Protection. | [AADRiskyServicePrincipals](/azure/azure-monitor/reference/tables/aadriskyserviceprincipals) |
-| [**Service principal risk events**](/entra/id-protection/howto-identity-protection-investigate-risk#risky-users-report) | Risk detections associated with service principals logged by Microsoft Entra ID Protection. | [AADServicePrincipalRiskEvents](/azure/azure-monitor/reference/tables/aadserviceprincipalriskevents) |
+This table lists the logs you can send from Microsoft Entra ID to Microsoft Sentinel using the Microsoft Entra ID data connector. Sentinel stores these logs in the Log Analytics workspace linked to your Microsoft Sentinel workspace.
+
+| **Log type** | **Log description** | **Log schema** | **Supports Basic and Auxiliary plans?** |
+|--------------|-----------------------------------|----------------|----------------------------------------|
+| [**Audit logs**](../active-directory/reports-monitoring/concept-audit-logs.md) | System activity related to user and group management, managed applications, and directory activities. | [AuditLogs](/azure/azure-monitor/reference/tables/auditlogs) | ✅ |
+| [**Sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md) | Interactive user sign-ins where a user provides an authentication factor. | [SigninLogs](/azure/azure-monitor/reference/tables/signinlogs) | ✅ |
+| [**Non-interactive user sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#non-interactive-user-sign-ins) | Sign-ins performed by a client on behalf of a user without any interaction or authentication factor from the user. | [AADNonInteractiveUserSignInLogs](/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs) | ✅ |
+| [**Service principal sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#service-principal-sign-ins) | Sign-ins by apps and service principals that don't involve any user. In these sign-ins, the app or service provides a credential on its own behalf to authenticate or access resources. | [AADServicePrincipalSignInLogs](/azure/azure-monitor/reference/tables/aadserviceprincipalsigninlogs) | ✅ |
+| [**Managed Identity sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#managed-identity-for-azure-resources-sign-ins) | Sign-ins by Azure resources that have secrets managed by Azure. For more information, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md). | [AADManagedIdentitySignInLogs](/azure/azure-monitor/reference/tables/aadmanagedidentitysigninlogs) | ✅ |
+| [**AD FS sign-in logs**](/entra/identity/monitoring-health/concept-usage-insights-report#ad-fs-application-activity) | Sign-ins performed through Active Directory Federation Services (AD FS). | [ADFSSignInLogs](/azure/azure-monitor/reference/tables/adfssigninlogs) |  |
+| [**Enriched Office 365 audit logs**](/entra/global-secure-access/how-to-view-enriched-logs) | Security events related to Microsoft 365 apps. | [EnrichedOffice365AuditLogs](/azure/azure-monitor/reference/tables/enrichedmicrosoft365auditlogs) |  |
+| [**Provisioning logs**](../active-directory/reports-monitoring/concept-provisioning-logs.md) | System activity information about users, groups, and roles provisioned by the Microsoft Entra provisioning service. (**PREVIEW**) | [AADProvisioningLogs](/azure/azure-monitor/reference/tables/aadprovisioninglogs) | ✅ |
+| [**Microsoft Graph activity logs**](/graph/microsoft-graph-activity-logs-overview) | HTTP requests accessing your tenant’s resources through the Microsoft Graph API. | [MicrosoftGraphActivityLogs](/azure/azure-monitor/reference/tables/microsoftgraphactivitylogs) | ✅ |
+| [**Network access traffic logs**](/entra/global-secure-access/how-to-view-traffic-logs) | Network access traffic and activities. | [NetworkAccessTraffic](/azure/azure-monitor/reference/tables/networkaccesstraffic) |  |
+| [**Remote network health logs**](/entra/global-secure-access/how-to-remote-network-health-logs?tabs=microsoft-entra-admin-center) | Insights into the health of remote networks. | [RemoteNetworkHealthLogs](/azure/azure-monitor/reference/tables/remotenetworkhealthlogs) |  |
+| [**User risk events**](/entra/id-protection/howto-identity-protection-investigate-risk?branch=main#risk-detections-report) | User risk events generated by Microsoft Entra ID Protection. | [AADUserRiskEvents](/azure/azure-monitor/reference/tables/aaduserriskevents) | ✅ |
+| [**Risky users**](/entra/id-protection/howto-identity-protection-investigate-risk#risky-users-report) | Risky users logged by Microsoft Entra ID Protection. | [AADRiskyUsers](/azure/azure-monitor/reference/tables/aadriskyusers) | ✅ |
+| [**Risky service principals**](/entra/id-protection/howto-identity-protection-investigate-risk?branch=main#risk-detections-report) | Information about service principals flagged as risky by Microsoft Entra ID Protection. | [AADRiskyServicePrincipals](/azure/azure-monitor/reference/tables/aadriskyserviceprincipals) | ✅ |
+| [**Service principal risk events**](/entra/id-protection/howto-identity-protection-investigate-risk#risky-users-report) | Risk detections associated with service principals logged by Microsoft Entra ID Protection. | [AADServicePrincipalRiskEvents](/azure/azure-monitor/reference/tables/aadserviceprincipalriskevents) | ✅ |
 
 > [!IMPORTANT]
 > Some of the available log types are currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
@@ -51,15 +51,14 @@ This table lists the log you can send from Microsoft Entra ID to Microsoft Senti
 - Your user must have the [Security Administrator](../active-directory/roles/permissions-reference.md#security-administrator) role on the tenant you want to stream the logs from, or the equivalent permissions.
 
 - Your user must have read and write permissions to the Microsoft Entra diagnostic settings in order to be able to see the connection status.
-- Install the solution for **Microsoft Entra ID** from the **Content Hub** in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).
 
 <a name='connect-to-azure-active-directory'></a>
 
 ## Install the Microsoft Entra ID data connector
 
 To install the Microsoft Entra ID data connector, search for and enable **Microsoft Entra ID** as described in [Enable a data connector](configure-data-connector.md#enable-a-data-connector).
 
-## Query your data
+## Use your data
 
 After a successful connection is established, the data appears in **Logs**, under the **LogManagement** section, in the following tables:
 
