-
Notifications
You must be signed in to change notification settings - Fork 898
Expand file tree
/
Copy pathhowto-integrate-activity-logs-with-azure-monitor-logs.yml
More file actions
91 lines (76 loc) · 5.42 KB
/
howto-integrate-activity-logs-with-azure-monitor-logs.yml
File metadata and controls
91 lines (76 loc) · 5.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
### YamlMime:HowTo
---
metadata:
title: Integrate Microsoft Entra logs with Azure Monitor logs
description: Learn how to integrate Microsoft Entra activity logs with Azure Monitor logs for querying and analysis.
author: shlipsey3
ms.author: sarahlipsey
manager: pmwongera
ms.reviewer: egreenberg
ms.date: 01/06/2026
ms.service: entra-id
ms.subservice: monitoring-health
ms.topic: how-to
ms.custom:
- ge-structured-content-pilot
# Customer intent: As an IT admin, I want to learn how to integrate Microsoft Entra activity logs with Azure Monitor logs so that I can query and analyze the data.
title: |
Integrate Microsoft Entra logs with Azure Monitor logs
introduction: |
Using **diagnostic settings** in Microsoft Entra ID, you can integrate logs with Azure Monitor so your sign-in activity and the audit trail of changes within your tenant can be analyzed along with other Azure data.
This article provides the steps to integrate Microsoft Entra logs with Azure Monitor.
Use the integration of Microsoft Entra activity logs and Azure Monitor to perform the following tasks:
- Compare your Microsoft Entra sign-in logs against security logs published by Microsoft Defender for Cloud.
- Troubleshoot performance bottlenecks on your application's sign-in page by correlating application performance data from Azure Application Insights.
- Analyze the Identity Protection risky users and risk detections logs to detect threats in your environment.
- Identify sign-ins from applications still using the Active Directory Authentication Library (ADAL) for authentication. [Learn about the ADAL end-of-support plan.](../../identity-platform/msal-migration.md)
> [!NOTE]
> Integrating Microsoft Entra logs with Azure Monitor automatically enables the Microsoft Entra data connector within Microsoft Sentinel.
prerequisites:
summary: |
To use this feature, you need:
dependencies:
- |
An Azure subscription. If you don't have an Azure subscription, you can [sign up for a free trial](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn).
- |
At least the [Security Administrator](../role-based-access-control/permissions-reference.md#security-administrator) role in the Microsoft Entra tenant.
- |
A **Log Analytics workspace** in your Azure subscription. Learn how to [create a Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace).
- |
Permission to access data in a Log Analytics workspace. See [Manage access to log data and workspaces in Azure Monitor](/azure/azure-monitor/logs/manage-access) for information on the different permission options and how to configure permissions.
procedureSection:
- title: |
Create a Log Analytics workspace
summary: |
A Log Analytics workspace allows you to collect data based on a variety or requirements, such as geographic location of the data, subscription boundaries, or access to resources. Learn how to [create a Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace).
To learn how to set up a Log Analytics workspace for Azure resources outside of Microsoft Entra ID, see [Collect and view resource logs for Azure Monitor](/azure/azure-monitor/essentials/diagnostic-settings).
## Send logs to Azure Monitor
Use the following steps to send logs from Microsoft Entra ID to Azure Monitor logs.
> [!TIP]
> Steps in this article might vary slightly based on the portal you start from.
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Administrator](~/identity/role-based-access-control/permissions-reference.md#security-administrator).
- |
Browse to **Entra ID** > **Monitoring & health** > **Diagnostic settings**. You can also select **Export Settings** from either the **Audit Logs** or **Sign-ins** page.
- |
Select **+ Add diagnostic setting** to create a new integration or select **Edit setting** for an existing integration.
- |
Enter a **Diagnostic setting name**. If you're editing an existing integration, you can't change the name.
- |
Select the log categories that you want to stream. For a description of each log category, see [What are the identity logs you can stream to an endpoint](concept-log-monitoring-integration-options-considerations.md).
- |
Under **Destination Details** select the **Send to Log Analytics workspace** check box.
- |
Select the appropriate **Subscription** and **Log Analytics workspace** from the menus.
- |
Select the **Save** button.
For more information about when logs start appearing in your Log Analytics workspace, see [Diagnostic settings in Azure Monitor](/azure/azure-monitor/platform/diagnostic-settings#time-before-telemetry-gets-to-destination).
relatedContent:
- text: Analyze Microsoft Entra activity logs with Azure Monitor logs
url: howto-analyze-activity-logs-log-analytics.md
- text: Learn about the data sources you can analyze with Azure Monitor
url: /azure/azure-monitor/data-sources
- text: Automate creating diagnostic settings with Azure Policy
url: /azure/azure-monitor/essentials/diagnostic-settings-policy