AAD Connector Configuration

Silver Contributor

When we configure the AAD logs in Sentinel, there are 7 options, however, in the Diagnostic settings in AAD, there are 9 options. I am assuming that the AAD Identity Protection connector covers the other 2 options (RIsky Users ad User Risk Events) can anyone confirm my assumption?






1 Reply
They recently added to public preview risky user logs and risk detection logs to be able to be sent to Sentinel (or Azure Monitor) - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-... (under support reports). A lot of the guidance hasn't been updated yet to reflect it from what I can see though. Previously you could see this report in the portal but not send the data anywhere I don't think.

AAD identity protection is just the actual alerts that fire (and get sent to the SecurityAlert table). I imagine the data from RiskyUsers and UserRiskEvents is a large part of what triggers AAD IP alerts though.