Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Azure Sentinel | Azure B2C

Copper Contributor

Can you let me know if Azure Sentinel supports (out of the box) connections to Azure B2C Logs. The document states that Azure Sentinel can ingest Azure AD sign-in and audit logs but was not sure for Azure B2C.

 

Regards,

 

Adrian

15 Replies

@Eyal Manor: Is this something you can help with? 

Hi, Please work with Koby Koren kobyk@microsoft.com

Thank you Eyal!@Koby Koren: Can you please help with this topic? 

 

@DhanyahkMSFT can you please assist?

@Koby Koren @Valon_Kolica @DhanyahkMSFT Any update on this? I have the same question. Thanks!

@Lars_Kemmann 

 

Hi @Chris Boehm, is this something you can speak to? 

@Ofer_Shezaf 

best response confirmed by Chris Boehm (Microsoft)
Solution

@Lars_Kemmann 

and @Adrian Gordon 

@Valon_Kolica 

 

To answer the question, yes we take in Azure AD B2C Audit logs

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-audit-log...

 

If configured, you'll see B2C Audit logs pulled over into Azure Sentinel whenever you've enabled Azure AD Audit connector within Sentinel.

 

Example:

 

Pulling a Query over the past 7 days, looking for B2C audit logsPulling a Query over the past 7 days, looking for B2C audit logsAnnotation 2019-05-28 091444.png

 

@Chris Boehm  Presumably the Sentinel instance must be created within the B2C tenant?  Or can it be created in my primary tenant and pointed to the B2C tenant to capture logs?

I don't see how creating Sentinel within the B2C tenant would be possible as it is not linked to any subscription. On the other hand, creating Sentinel in your "corporate" Azure AD tenant is possible, but i have not found any way to point it to B2C tenant. It defaults the Azure AD Data Connector to the "corporate" Azure AD.
So far i don't see a way to make Sentinel work with Azure AD B2C.
@Chris Boehm Are you able to provide any high-level pointers as to how you set this up? I have Sentinel setup in my corp AD tenant, showing corp AD logs. I also have B2C setup, but I'm not clear how to configure the AD audit connector to also read in the B2C logs. Thanks

@Chris Boehm I also would like details on how to add a B2C to Sentinel. It is showing the primary data, but no data from our B2C tenant.

@wmansfieldand @Chris Boehm did you come up with a straight forward solution for getting B2C logs directly into a corp tenant?

@Secuerskydev 

 

You can now collect B2C logs from your B2C tenant to your primary tenant AAD logs as described here.

 

~ Ofer

@Ofer_Shezaf   Thanks!

Thanks and Azure AD B2C supports sentinel. Please find below document -
https://docs.microsoft.com/en-us/azure/active-directory-b2c/azure-sentinel
1 best response

Accepted Solutions
best response confirmed by Chris Boehm (Microsoft)
Solution

@Lars_Kemmann 

and @Adrian Gordon 

@Valon_Kolica 

 

To answer the question, yes we take in Azure AD B2C Audit logs

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-audit-log...

 

If configured, you'll see B2C Audit logs pulled over into Azure Sentinel whenever you've enabled Azure AD Audit connector within Sentinel.

 

Example:

 

Pulling a Query over the past 7 days, looking for B2C audit logsPulling a Query over the past 7 days, looking for B2C audit logsAnnotation 2019-05-28 091444.png

 

View solution in original post