Sep 02 2022 06:28 AM
what is the difference in sentinel connectors azure active directory and AAD identity Protection.
as you can see above azure AD also provide logs related to risky users, user risk events , what's major difference in both then
Sep 04 2022 09:51 AM
Hello @Victor1989 ,
1. Azure Active Directory connector allows you to use a more granulated way of logs ingestion. For example, if you don't have ADFS in your environment you can simply disable it.
2. AAD Identity Protection connector allows to creation of alerts in Sentinel based on alerts that come from AAD IP.
I see that 1 ingests logs into two tables (AADUserRiskEvents and AADRiskyUsers), and 2 ingests logs into the (SecurityAlert) table. So with 2 you can only see alerts and with 1 you can see raw logs.