Unit 4: Exercise – Connect data from Microsoft Entra ID to Microsoft Sentinel
This unit focuses on connecting Microsoft Entra ID logs to Microsoft Sentinel so that identity-related security events can be monitored, correlated, and investigated centrally.
What is Microsoft Sentinel?
Microsoft Sentinel is a cloud-native security solution that combines:
- SIEM (Security Information and Event Management)
- Collects, aggregates, and analyzes security data.
- SOAR (Security Orchestration, Automation, and Response)
- Automates responses to security incidents.
Why Microsoft Sentinel matters for identity monitoring
Microsoft Sentinel provides a centralized, real-time security view across the enterprise by enabling you to:
- Collect data at cloud scale across:
- Users.
- Devices.
- Applications.
- Infrastructure (on-premises and multi-cloud).
- Detect threats using:
- Built-in analytics.
- Microsoft threat intelligence.
- Investigate incidents using:
- AI-driven analysis.
- Advanced hunting queries.
- Respond faster using:
- Automation.
- Playbooks for common remediation tasks.
When Microsoft Entra ID logs are streamed into Sentinel, identity activity becomes a first-class security signal.
Prerequisites
Before connecting Microsoft Entra ID to Microsoft Sentinel, ensure the following requirements are met.
Licensing requirements
- Microsoft Entra ID P1 or P2
- Required to ingest sign-in logs into Sentinel.
- Any Microsoft Entra ID license (Free / O365 / P1 / P2)
- Sufficient to ingest audit logs.
- Additional costs
- Azure Monitor (Log Analytics) and Microsoft Sentinel incur per-GB ingestion charges.
Required roles
Your account must have:
- Microsoft Sentinel Contributor
- On the Log Analytics workspace.
- Security Administrator
- On the Microsoft Entra tenant.
- Read and write permissions
- On Microsoft Entra diagnostic settings (to configure log streaming).
Step 1: Create and add a Microsoft Sentinel workspace
If you do not already have a Log Analytics workspace connected to Sentinel, create one.
Create a new workspace
- Sign in to the Azure portal as a tenant administrator.
- Search for and select Microsoft Sentinel.
- On the Microsoft Sentinel workspaces page, select + Add.
- In Add Microsoft Sentinel to a workspace, select Create a new workspace.
Configure the Log Analytics workspace
Use the following settings:
| Setting | Value |
|---|
| Subscription | Your current subscription |
| Resource group | Existing or new resource group |
| Name | Lab-workspace-<yourinitials>-<date> (must be globally unique) |
| Pricing tier | Pay-as-you-go |
- Select Review + Create, then Create.
- After deployment completes, select the workspace.
- Select Add to attach the workspace to Microsoft Sentinel.
Step 2: Connect Microsoft Entra ID to Microsoft Sentinel
Microsoft Sentinel includes a built-in data connector for Microsoft Entra ID.
Open the Entra ID data connector
- In Microsoft Sentinel, select Data connectors from the left navigation.
- From the list, select Microsoft Entra ID.
- Select Open connector page.
Step 3: Configure log ingestion
The Microsoft Entra ID connector allows you to stream identity logs directly into Sentinel.
Select logs to collect
- Under Configuration, select the following checkboxes:
- Microsoft Entra Sign-in logs
- Microsoft Entra Audit logs
- Select Apply changes.
These logs are now streamed continuously into the Log Analytics workspace.
Step 4: Validate the connection
- Close the Microsoft Entra ID connector page.
- Return to Microsoft Sentinel → Data connectors.
- Confirm that the Microsoft Entra ID connector shows as Connected.
At this point:
- Sign-in activity.
- Audit events.
- Identity governance changes.
…are all available for querying, alerting, and investigation in Sentinel.
What data is now available in Sentinel?
Once connected, Microsoft Sentinel can analyze:
- Interactive sign-in activity.
- Conditional Access outcomes.
- Administrative changes.
- Role assignments and removals.
- Identity governance events.
This data can be used in:
- Analytics rules.
- Workbooks.
- Hunting queries.
- Incident investigations.
Exam-focused summary (Unit 4)
- Microsoft Sentinel is a cloud-native SIEM + SOAR.
- Microsoft Entra ID logs provide identity security signals.
- P1 or P2 is required for sign-in log ingestion.
- Audit logs require any Entra license.
- Logs flow via:
- Microsoft Entra ID data connector.
- Logs are stored in:
- Log Analytics workspace.
- Roles required:
- Sentinel Contributor.
- Security Administrator.