Azure Active Directory Connector for Microsoft Sentinel

In my post about “First steps setting up Microsoft Sentinel” we prepared our Microsoft Sentinel environment to use it for different connectors. Now we want to configure our first connector to get data from Azure Active Directory (AAD).

  1. We start in Microsoft Sentinel blade and navigate to “Data connectors”. From there we search for “Azure Active Directory” and select the connector. On the right side opens a new blade. Click on “Open connector page”!

On the connector blade for Azure Active Directory we get first information, if workbooks, queries and analytic rule templates are available. Furthermore we get to know how many data is received and which data types are connected.

2. In the configuration pane we can choose which logs should be collected. Because we don’t want to miss any information, we choose every checkbox and click “Apply Changes”.

3. If the setup was successful, diagnostic settings in Azure AD will be updated with our chosen settings.

4. Click on “Edit setting” to check the settings!

5. On the left side every log should be marked that we have chosen at the configuration pane. The right side shows the Log Analytic workspace that is used for forwarding data.

That’s it! This is an easy way to setup connectors directly integrated into Microsoft Sentinel. Microsoft takes all the effort to create and configure the needed settings. In later articles we will go through configuration of more complex connectors.

