/
howto-integrate-activity-logs-with-azure-monitor-logs.yml
93 lines (78 loc) · 5.36 KB
/
howto-integrate-activity-logs-with-azure-monitor-logs.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
### YamlMime:HowTo
---
metadata:
title: Integrate Microsoft Entra logs with Azure Monitor logs
description: Learn how to integrate Microsoft Entra activity logs with Azure Monitor logs for querying and analysis.
author: shlipsey3
ms.author: sarahlipsey
manager: amycolannino
ms.reviewer: egreenberg
ms.date: 01/26/2024
ms.service: entra-id
ms.subservice: monitoring-health
ms.topic: how-to
ms.custom:
- ge-structured-content-pilot
# Customer intent: As an IT admin, I want to learn how to integrate Microsoft Entra activity logs with Azure Monitor logs so that I can query and analyze the data.
title: |
Integrate Microsoft Entra logs with Azure Monitor logs
introduction: |
Using **diagnostic settings** in Microsoft Entra ID, you can integrate logs with Azure Monitor so your sign-in activity and the audit trail of changes within your tenant can be analyzed along with other Azure data.
This article provides the steps to integrate Microsoft Entra logs with Azure Monitor.
Use the integration of Microsoft Entra activity logs and Azure Monitor to perform the following tasks:
- Compare your Microsoft Entra sign-in logs against security logs published by Microsoft Defender for Cloud.
- Troubleshoot performance bottlenecks on your application’s sign-in page by correlating application performance data from Azure Application Insights.
- Analyze the Identity Protection risky users and risk detections logs to detect threats in your environment.
- Identify sign-ins from applications still using the Active Directory Authentication Library (ADAL) for authentication. [Learn about the ADAL end-of-support plan.](../../identity-platform/msal-migration.md)
> [!NOTE]
> Integrating Microsoft Entra logs with Azure Monitor automatically enables the Microsoft Entra data connector within Microsoft Sentinel.
prerequisites:
summary: |
To use this feature, you need:
dependencies:
- |
An Azure subscription. If you don't have an Azure subscription, you can [sign up for a free trial](https://azure.microsoft.com/free/).
- |
A Microsoft Entra ID P1 or P2 tenant.
- |
**Global Administrator** or **Security Administrator** access for the Microsoft Entra tenant.
- |
A **Log Analytics workspace** in your Azure subscription. Learn how to [create a Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace).
- |
Permission to access data in a Log Analytics workspace. See [Manage access to log data and workspaces in Azure Monitor](/azure/azure-monitor/logs/manage-access) for information on the different permission options and how to configure permissions.
procedureSection:
- title: |
Create a Log Analytics workspace
summary: |
A Log Analytics workspace allows you to collect data based on a variety or requirements, such as geographic location of the data, subscription boundaries, or access to resources. Learn how to [create a Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace).
Looking for how to set up a Log Analytics workspace for Azure resources outside of Microsoft Entra ID? Check out the [Collect and view resource logs for Azure Monitor](/azure/azure-monitor/essentials/diagnostic-settings) article.
## Send logs to Azure Monitor
Use the following steps to send logs from Microsoft Entra ID to Azure Monitor logs. Looking for how to set up Log Analytics workspace for Azure resources outside of Microsoft Entra ID? Check out the [Collect and view resource logs for Azure Monitor](/azure/azure-monitor/essentials/diagnostic-settings) article.
> [!TIP]
> Steps in this article might vary slightly based on the portal you start from.
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Administrator](~/identity/role-based-access-control/permissions-reference.md#security-administrator).
- |
Browse to **Identity** > **Monitoring & health** > **Diagnostic settings**. You can also select **Export Settings** from either the **Audit Logs** or **Sign-ins** page.
- |
Select **+ Add diagnostic setting** to create a new integration or select **Edit setting** for an existing integration.
- |
Enter a **Diagnostic setting name**. If you're editing an existing integration, you can't change the name.
- |
Select the log categories that you want to stream.
- |
Under **Destination Details** select the **Send to Log Analytics workspace** check box.
- |
Select the appropriate **Subscription** and **Log Analytics workspace** from the menus.
- |
Select the **Save** button.
![Screenshot of the diagnostics settings with some destination details shown.](./media/howto-integrate-activity-logs-with-azure-monitor-logs/diagnostic-settings-log-analytics-workspace.png)
If you don't see logs appearing in the selected destination after 15 minutes, sign out and back into Azure to refresh the logs.
relatedContent:
- text: Analyze Microsoft Entra activity logs with Azure Monitor logs
url: howto-analyze-activity-logs-log-analytics.md
- text: Learn about the data sources you can analyze with Azure Monitor
url: /azure/azure-monitor/data-sources
- text: Automate creating diagnostic settings with Azure Policy
url: /azure/azure-monitor/essentials/diagnostic-settings-policy