Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Disabled Connectors

Silver Contributor

We have noticed that in some tenants, connectors that were configured are showing up as disabled. One of my colleagues thinks that if there is no activity during an unspecified period of time, it goes grey and seems "disabled". Once some activity is detected, it again goes green and shows alive. This is something new MS hasn't disclosed and should be tested, but has been seen in other clients workspaces. Has anyone else seen this type of behavior? Can anyone from MSFT confirm that this is by design?

7 Replies
Hi, Dean.

Its moreso that the rule failed to run.

I believe this better describes it:

@Rod_Trent Thanks, I had not seen that article. When I review the analytic rules, I am not seeing any that show Auto Disabled. Any other ideas about what might be going on? When I look at an associated workbook and run a log query, It shows a few events from Oct 15, but now the connector is disabled. I need to get a better understanding about what is happening

Which connector is it, btw? MCAS?
No, it is Azure Activity. this is occurring in multiple CSP tenants that should not have any significant Azure activity because they are primarily used for O365. I wanted to use Azure Activity connector to help make sure that nothing malicious does occur with azure resources.
I have seen this if there data has not flowed in for a while, the table is considered empty (if you look at the data ingestion summary when clicking on the data connector it will show that no data has come in at all) so the data connector is assumed to be disconnected.
Yes, this is exactly what is happening and is expected, will it automatically reconnect if data does start showing up (this could indicate an incident and we want to make sure that we are not blind)
Try the following...

1. Go to Azure Policy
2. Go to the Remediation > Click on the Policy “Configure Azure Activity logs to stream to specified Log Analytics workspace”
3. Create a new remediation task
4. Wait for the task to complete.

Please give some time. If everything is good then you can go back to the azure Sentinel > Data connectors > Azure Activity and will find it as connected.