Emil Dosen
Back to blog
3 min read
Configuring Microsoft Sentinel with Entra ID and UEBA
azure entra id microsoft365 microsoft sentinel

Prerequisites

Ensure you have the following:

  • Azure subscription with owner or contributor + user access administrator rights
  • Global Administrator or Security Administrator role in Entra ID

Setup Sentinel

Step 1: Create a Log Analytics workspace

Sentinel runs on top of a Log Analytics workspace. The workspace stores all ingested logs and is where you run KQL queries.

  1. Search for ‘Log Analytics workspaces’ in the Azure portal
  2. Click + Create
  3. Select your subscription and use the following values:
    Resource group: sentinel (create new)
    Name: sentinel-logs
    Region: Pick a region close to you
    Log Analytics creation
  4. Click Review + create then Create

Step 2: Enable Microsoft Sentinel

This adds the Sentinel solution to the Log Analytics workspace, enabling security-specific features and the Sentinel UI.

  1. Search for ‘Sentinel’ and select ‘Microsoft Sentinel’ in the Azure portal
  2. Click + Create
  3. Select sentinel-logs created in previous step
  4. Click Add

Microsoft Sentinel is now configured! Next step is to start ingesting logs.

Ingesting Entra ID logs

Step 1: Configure diagnostic settings

Entra ID can send sign-in and audit logs to the Log Analytics workspace.

  1. Open the Entra ID admin center
  2. Go to Monitoring > Diagnostic settings
  3. Click + Add diagnostic setting
  4. Name it entra-id-sentinel or similar
  5. Check the following categories under Logs (checking other options will increase price)
    1. AuditLogs
    2. SignInLogs
    3. RiskyUsers
    4. UserRiskEvents
  6. Check ‘Send to Log Analytics workspace’ under Destination details, and select the sentinel-logs workspace
    Diagnostic settings
  7. Click Save

Step 2: Add the Entra ID data connector in Sentinel

The Sentinel connector activates built-in analytics rules and workbooks for Entra ID.

  1. Open the Microsoft Defender admin center
  2. Go to Microsoft Sentinel > Content management > Content hub
  3. Search for or scroll down to find Microsoft Entra ID and check the checkbox
  4. Click Install/Update
  5. Once installed, go to Microsoft Sentinel > Configuration > Data connectors
  6. Select Microsoft Entra ID in the list and press Open connector page
  7. Ensure the same options checked in Step 1.5 is also checked here

Entra ID logs are now connected to Sentinel. It can take a few hours for logs to start appearing.

Step 3: Enable UEBA

UEBA builds behavioral baselines for users and flags anomalies like unusual access patterns, impossible travel, or privilege escalation attempts.

  1. In the Azure Portal, search for ‘Sentinel’ again, and select sentinel-logs
  2. Scroll down to Configuration > Settings > Settings tab > Set UEBA
  3. Turn on UEBA
  4. Check Microsoft Entra ID, then click Apply
  5. Check Audit Logs and Signin Logs, then click Apply

UEBA settings

UEBA is now fully configured.