SOLVED
Home

Azure Sentinel | Azure B2C

%3CLINGO-SUB%20id%3D%22lingo-sub-360773%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20%7C%20Azure%20B2C%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360773%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3ECan%20you%20let%20me%20know%20if%20Azure%20Sentinel%20supports%20(out%20of%20the%20box)%20connections%20to%20Azure%20B2C%20Logs.%20The%20document%20states%20that%20Azure%20Sentinel%20can%20ingest%20Azure%20AD%20sign-in%20and%20audit%20logs%20but%20was%20not%20sure%20for%20Azure%20B2C.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3ERegards%2C%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3EAdrian%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-363844%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20%7C%20Azure%20B2C%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-363844%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F294497%22%20target%3D%22_blank%22%3E%40DhanyahkMSFT%3C%2FA%3E%26nbsp%3Bcan%20you%20please%20assist%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-362799%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20%7C%20Azure%20B2C%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-362799%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20Eyal!%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F187254%22%20target%3D%22_blank%22%3E%40Koby%20Koren%3C%2FA%3E%3A%20Can%20you%20please%20help%20with%20this%20topic%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-362507%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20%7C%20Azure%20B2C%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-362507%22%20slang%3D%22en-US%22%3EHi%2C%20Please%20work%20with%20Koby%20Koren%20kobyk%40microsoft.com%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-362434%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20%7C%20Azure%20B2C%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-362434%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F116548%22%20target%3D%22_blank%22%3E%40Eyal%20Manor%3C%2FA%3E%3A%20Is%20this%20something%20you%20can%20help%20with%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-644943%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20%7C%20Azure%20B2C%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-644943%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F187254%22%20target%3D%22_blank%22%3E%40Koby%20Koren%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293935%22%20target%3D%22_blank%22%3E%40Valon_Kolica%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F294497%22%20target%3D%22_blank%22%3E%40DhanyahkMSFT%3C%2FA%3E%20Any%20update%20on%20this%3F%20I%20have%20the%20same%20question.%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-645077%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20%7C%20Azure%20B2C%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-645077%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F348391%22%20target%3D%22_blank%22%3E%40Lars_Kemmann%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F89690%22%20target%3D%22_blank%22%3E%40Chris%20Boehm%3C%2FA%3E%2C%20is%20this%20something%20you%20can%20speak%20to%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-652093%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20%7C%20Azure%20B2C%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-652093%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F348391%22%20target%3D%22_blank%22%3E%40Lars_Kemmann%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eand%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F126351%22%20target%3D%22_blank%22%3E%40Adrian%20Gordon%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293935%22%20target%3D%22_blank%22%3E%40Valon_Kolica%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20answer%20the%20question%2C%20yes%20we%20take%20in%20Azure%20AD%20B2C%20Audit%20logs%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-b2c%2Factive-directory-b2c-reference-audit-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-b2c%2Factive-directory-b2c-reference-audit-logs%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20configured%2C%20you'll%20see%20B2C%20Audit%20logs%20pulled%20over%20into%20Azure%20Sentinel%20whenever%20you've%20enabled%20Azure%20AD%20Audit%20connector%20within%20Sentinel.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExample%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F116249iC785E9075F05FBA6%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Annotation%202019-05-28%20091423.png%22%20title%3D%22Annotation%202019-05-28%20091423.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EPulling%20a%20Query%20over%20the%20past%207%20days%2C%20looking%20for%20B2C%20audit%20logs%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F116250i321D352978AF3885%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Annotation%202019-05-28%20091444.png%22%20title%3D%22Annotation%202019-05-28%20091444.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-849612%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20%7C%20Azure%20B2C%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-849612%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F89690%22%20target%3D%22_blank%22%3E%40Chris%20Boehm%3C%2FA%3E%26nbsp%3B%20Presumably%20the%20Sentinel%20instance%20must%20be%20created%20within%20the%20B2C%20tenant%3F%26nbsp%3B%20Or%20can%20it%20be%20created%20in%20my%20primary%20tenant%20and%20pointed%20to%20the%20B2C%20tenant%20to%20capture%20logs%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-882863%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20%7C%20Azure%20B2C%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-882863%22%20slang%3D%22en-US%22%3EI%20don't%20see%20how%20creating%20Sentinel%20within%20the%20B2C%20tenant%20would%20be%20possible%20as%20it%20is%20not%20linked%20to%20any%20subscription.%20On%20the%20other%20hand%2C%20creating%20Sentinel%20in%20your%20%22corporate%22%20Azure%20AD%20tenant%20is%20possible%2C%20but%20i%20have%20not%20found%20any%20way%20to%20point%20it%20to%20B2C%20tenant.%20It%20defaults%20the%20Azure%20AD%20Data%20Connector%20to%20the%20%22corporate%22%20Azure%20AD.%3CBR%20%2F%3ESo%20far%20i%20don't%20see%20a%20way%20to%20make%20Sentinel%20work%20with%20Azure%20AD%20B2C.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-893929%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20%7C%20Azure%20B2C%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-893929%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F89690%22%20target%3D%22_blank%22%3E%40Chris%20Boehm%3C%2FA%3E%20Are%20you%20able%20to%20provide%20any%20high-level%20pointers%20as%20to%20how%20you%20set%20this%20up%3F%20I%20have%20Sentinel%20setup%20in%20my%20corp%20AD%20tenant%2C%20showing%20corp%20AD%20logs.%20I%20also%20have%20B2C%20setup%2C%20but%20I'm%20not%20clear%20how%20to%20configure%20the%20AD%20audit%20connector%20to%20also%20read%20in%20the%20B2C%20logs.%20Thanks%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-952203%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20%7C%20Azure%20B2C%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-952203%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F89690%22%20target%3D%22_blank%22%3E%40Chris%20Boehm%3C%2FA%3E%26nbsp%3BI%20also%20would%20like%20details%20on%20how%20to%20add%20a%20B2C%20to%20Sentinel.%20It%20is%20showing%20the%20primary%20data%2C%20but%20no%20data%20from%20our%20B2C%20tenant.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Adrian Gordon
Regular Visitor

Can you let me know if Azure Sentinel supports (out of the box) connections to Azure B2C Logs. The document states that Azure Sentinel can ingest Azure AD sign-in and audit logs but was not sure for Azure B2C.

 

Regards,

 

Adrian

11 Replies

@Eyal Manor: Is this something you can help with? 

Hi, Please work with Koby Koren kobyk@microsoft.com

Thank you Eyal!@Koby Koren: Can you please help with this topic? 

 

@DhanyahkMSFT can you please assist?

@Koby Koren @Valon_Kolica @DhanyahkMSFT Any update on this? I have the same question. Thanks!

@Lars_Kemmann 

 

Hi @Chris Boehm, is this something you can speak to? 

@Ofer_Shezaf 

Solution

@Lars_Kemmann 

and @Adrian Gordon 

@Valon_Kolica 

 

To answer the question, yes we take in Azure AD B2C Audit logs

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-audit-log...

 

If configured, you'll see B2C Audit logs pulled over into Azure Sentinel whenever you've enabled Azure AD Audit connector within Sentinel.

 

Example:

 

Annotation 2019-05-28 091423.pngPulling a Query over the past 7 days, looking for B2C audit logsAnnotation 2019-05-28 091444.png

 

@Chris Boehm  Presumably the Sentinel instance must be created within the B2C tenant?  Or can it be created in my primary tenant and pointed to the B2C tenant to capture logs?

I don't see how creating Sentinel within the B2C tenant would be possible as it is not linked to any subscription. On the other hand, creating Sentinel in your "corporate" Azure AD tenant is possible, but i have not found any way to point it to B2C tenant. It defaults the Azure AD Data Connector to the "corporate" Azure AD.
So far i don't see a way to make Sentinel work with Azure AD B2C.
@Chris Boehm Are you able to provide any high-level pointers as to how you set this up? I have Sentinel setup in my corp AD tenant, showing corp AD logs. I also have B2C setup, but I'm not clear how to configure the AD audit connector to also read in the B2C logs. Thanks

@Chris Boehm I also would like details on how to add a B2C to Sentinel. It is showing the primary data, but no data from our B2C tenant.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies