This chapter covers Microsoft Sentinel integration with Microsoft 365, a key topic in the MS-900 exam under domain M365 Security (Objective 3.1). You will learn how Sentinel ingests security data from Microsoft 365 services like Azure AD, Microsoft 365 Defender, and Office 365, and how it correlates that data to detect and respond to threats. Approximately 5-10% of exam questions touch on SIEM/SOAR capabilities and Microsoft Sentinel’s role in the Microsoft 365 security stack. Master this material to confidently answer questions about threat detection, data connectors, and automated response.
Jump to a section
Imagine a large corporate campus with hundreds of security cameras (data sources) from different vendors: indoor cameras, outdoor cameras, badge readers, and fire alarms. Each camera records footage to its own local DVR. If a security incident occurs, a guard would have to manually check each DVR, which is slow and error-prone. Microsoft Sentinel acts as a central command center where all camera feeds are streamed in real-time. The command center uses a unified interface to view all feeds, applies intelligent analytics to detect suspicious behavior (e.g., a person entering a restricted area after hours), and automatically triggers alerts to security personnel. It also keeps a searchable archive of all footage for forensic analysis. In this analogy, the cameras are your security data sources (like Azure AD, Microsoft 365 Defender, and third-party firewalls). Sentinel ingests logs, normalizes them into a common format, correlates events across sources, and provides dashboards and automated response playbooks. Just as a command center doesn’t replace the cameras but enhances their value, Sentinel doesn’t replace your existing security tools but unifies and amplifies their effectiveness.
What is Microsoft Sentinel and Why Does It Exist?
Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR) solution. It provides intelligent security analytics and threat intelligence across an enterprise, enabling proactive threat detection, investigation, and automated response. Sentinel exists to address the limitations of traditional on-premises SIEMs: high infrastructure costs, complex scaling, and siloed data. By being cloud-native, Sentinel offers elastic scalability, built-in AI, and deep integration with Microsoft 365 and Azure services.
How Sentinel Integrates with Microsoft 365
Sentinel ingests data from Microsoft 365 sources using built-in data connectors. These connectors pull logs from: - Azure Active Directory (Azure AD): Sign-in logs, audit logs, and provisioning logs. - Microsoft 365 Defender: Alerts from Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. - Office 365: Exchange Online, SharePoint Online, Teams, and OneDrive audit logs. - Microsoft Cloud App Security (MCAS): Alerts and activity logs. - Azure Information Protection: Data classification and labeling logs.
The connectors work by subscribing to Microsoft 365’s unified audit logging and streaming data via the Office 365 Management Activity API. Data is stored in the Log Analytics workspace associated with Sentinel.
Key Components and Data Flow
Data Connectors: Pre-built connectors for Microsoft 365 services. Each connector has specific prerequisites and configuration steps. For example, the Azure AD connector requires global admin permissions and the Azure AD Premium P1 or P2 license.
Log Analytics Workspace: The underlying data store. All ingested logs are stored in tables (e.g., SigninLogs, AuditLogs, OfficeActivity). Sentinel adds security-specific tables like SecurityAlert and SecurityEvent.
Analytics Rules: Built-in or custom rules that create incidents when certain patterns are detected. For example, a rule can trigger when a user signs in from an unfamiliar location and then accesses sensitive data.
Incidents: Groups of related alerts. Security analysts triage and investigate incidents in the Sentinel interface.
Playbooks: Automated response workflows built on Azure Logic Apps. For example, a playbook can automatically disable a compromised user account when a high-severity incident is created.
Workbooks: Interactive dashboards that visualize data. Sentinel provides default workbooks for Microsoft 365 scenarios, such as Office 365 Security and Compliance.
How Sentinel Processes Microsoft 365 Data
Step 1: Data Ingestion - Connectors pull logs from Microsoft 365 APIs every few minutes (typically 5-15 minutes depending on the service). - Logs are normalized to the Common Event Format (CEF) or Sentinel’s schema.
Step 2: Data Retention - By default, logs are retained for 90 days in the Log Analytics workspace. You can adjust retention up to 2 years or export to Azure Storage for longer retention. - Sentinel itself does not charge for storage; you pay for Log Analytics data ingestion and retention.
Step 3: Detection - Analytics rules run on a schedule (e.g., every 5 minutes) or in near real-time using alert triggers. - Rules can use Kusto Query Language (KQL) to query logs. Example: A rule to detect multiple failed sign-ins followed by a successful sign-in from a different country.
Step 4: Incident Creation - When a rule matches, Sentinel creates an incident with severity, status, and entities (users, IPs, devices). - Incidents can be automatically assigned to analysts based on severity.
Step 5: Investigation and Response - Analysts use the investigation graph to visualize relationships between entities. - Playbooks can be triggered manually or automatically. For example, a playbook could send an email to the user’s manager and block the user’s account via Microsoft Graph API.
Specific Values and Defaults
Ingestion latency: Most Microsoft 365 connectors have a latency of 5-15 minutes. Azure AD logs are typically available within 10-15 minutes.
Log Analytics pricing: Pay-as-you-go is $2.30 per GB ingested (first 5 GB free per month). Sentinel itself costs $0.10 per GB ingested for the SIEM tier and $0.05 per GB for the SOAR tier.
Data connector status: Connectors show as "Connected" or "Disconnected" in the Sentinel UI. If disconnected, check permissions and API throttling.
Maximum retention: 730 days (2 years) for Log Analytics, but you can archive to Azure Storage beyond that.
Configuration and Verification
To configure an Azure AD connector: 1. In Sentinel, navigate to Data connectors > Azure Active Directory. 2. Click "Open connector page". 3. Select the log types: Sign-in logs and Audit logs. 4. Click "Connect". 5. Verify by checking the "Data received" graph; it may take up to 15 minutes for data to appear.
To verify logs are flowing:
SigninLogs
| where TimeGenerated > ago(1h)
| countInteraction with Related Technologies
Microsoft 365 Defender: Sentinel can ingest alerts from Defender, but Defender also has its own incident management. Sentinel provides a broader view across all Microsoft 365 and Azure services.
Azure Logic Apps: Playbooks are built using Logic Apps, which can connect to hundreds of services, including Teams, Outlook, and ServiceNow.
Microsoft Graph Security API: Sentinel can use this API to send alerts to other SIEMs or to update alerts in Microsoft 365 Defender.
Exam-Relevant Details
MS-900 tests your understanding of Sentinel’s role as a SIEM/SOAR solution, not deep configuration.
Know that Sentinel is a cloud-native service, not on-premises.
Understand that it integrates with Microsoft 365 via pre-built connectors and that data is stored in Log Analytics.
Be aware that Sentinel uses AI and machine learning for anomaly detection (e.g., Fusion analytics).
Remember that Sentinel is part of the Microsoft 365 security stack but is an Azure service, not a Microsoft 365 service.
Common Traps
Trap: Thinking Sentinel is included with Microsoft 365 E5. Reality: Sentinel is an Azure service with separate pricing, though it integrates with E5 security features.
Trap: Confusing Sentinel with Microsoft 365 Defender. Reality: Defender provides endpoint, email, and identity protection; Sentinel is a SIEM that aggregates alerts from Defender and other sources.
Trap: Believing Sentinel replaces Azure AD Identity Protection. Reality: Identity Protection provides risk-based conditional access; Sentinel can ingest its alerts for broader correlation.
Enable Data Connectors for Microsoft 365
Begin by configuring data connectors in Microsoft Sentinel to ingest logs from Microsoft 365 services. For each connector (e.g., Azure AD, Office 365, Microsoft 365 Defender), you need appropriate permissions: Global Administrator or Security Administrator for most. The connector subscribes to the Office 365 Management Activity API and starts streaming logs. Once connected, data flows into the Log Analytics workspace under specific tables (e.g., SigninLogs, OfficeActivity). You can verify the connection status in the connector page; a green check indicates active ingestion. Expect a latency of 5-15 minutes before logs appear. If logs don't appear, check for misconfigured diagnostic settings or insufficient licensing (e.g., Azure AD P1/P2 required for sign-in logs).
Create Analytics Rules for Threat Detection
After data flows, create analytics rules to detect suspicious activities. Sentinel provides a library of built-in rule templates for Microsoft 365 scenarios, such as 'User account compromised' or 'Mass download from SharePoint'. You can also write custom KQL queries. Each rule has a schedule (e.g., run every 5 minutes) and a query that looks for patterns. When the query returns results, Sentinel creates an incident. For example, a rule might detect multiple failed sign-ins from a single IP address within 10 minutes. You can configure alert severity, entity mapping (e.g., user, IP), and group alerts into incidents. Rules can be enabled or disabled; only enabled rules consume compute resources.
Triage and Investigate Incidents
When an incident is created, security analysts review it in the Sentinel incident dashboard. Incidents are sorted by severity (low, medium, high, critical). Each incident contains alerts, entities, and a timeline. Analysts can use the investigation graph to visualize relationships: for example, which user, device, and IP address are involved. They can also view raw logs by clicking 'View full details'. Sentinel provides built-in workbooks to visualize trends, such as sign-in failures over time. Analysts can manually change incident status (new, active, closed) and add comments. For complex investigations, they can use hunting queries to proactively search for threats.
Automate Response with Playbooks
Playbooks are automated workflows triggered by incidents or alerts. They are built using Azure Logic Apps and can perform actions like blocking a user, resetting a password, or posting a message to a Teams channel. For example, a playbook for a compromised account might: (1) Disable the user account via Microsoft Graph, (2) Send an email to the security team, (3) Create a ticket in ServiceNow. Playbooks can run automatically when an incident is created (automation rule) or manually on-demand. You can also chain multiple playbooks. Sentinel includes a gallery of pre-built playbooks for common scenarios. Each playbook incurs Logic Apps execution costs.
Monitor and Fine-Tune Operations
Continuously monitor the health of your Sentinel deployment. Check data connector status daily; if a connector disconnects, re-authenticate. Review analytics rule performance: adjust thresholds to reduce false positives. Use the 'New' incidents workbook to track mean time to respond (MTTR). Sentinel provides health monitoring via the 'SentinelHealth' table, which logs rule execution failures and connector issues. Set up alerts for connector disconnections. Also, review costs: data ingestion volume can spike unexpectedly; set budget alerts in Azure Cost Management. Regularly test playbooks with simulated incidents to ensure they work as expected.
Enterprise Scenario 1: Contoso Corp – Detecting Insider Threat
Contoso Corp, a multinational with 50,000 employees, uses Microsoft 365 E5 and needs to detect insider threats where employees exfiltrate data via email or SharePoint. They deploy Sentinel with Office 365 and Azure AD connectors. They create an analytics rule that triggers when a user downloads more than 100 files from SharePoint within an hour and then sends an email with attachments to an external domain. Sentinel creates an incident, and a playbook automatically blocks the user's account and sends a notification to the manager. This scenario requires careful tuning of thresholds to avoid false positives from legitimate bulk downloads. Performance-wise, Sentinel handles millions of logs daily; the key is to optimize KQL queries to run within 5 minutes. Misconfiguration example: If the Office 365 connector is not granted sufficient permissions, logs will not stream, causing missed detections.
Enterprise Scenario 2: Fabrikam Inc – Phishing Campaign Response
Fabrikam Inc, a mid-sized company with 2,000 users, experiences frequent phishing attacks. They use Microsoft 365 Defender for email protection and Sentinel for correlation. When Defender detects a phishing email, it sends an alert to Sentinel. Sentinel's analytics rule correlates that alert with sign-in logs: if a user who received the phishing email later signs in from an unusual location, Sentinel creates a high-severity incident. A playbook then disables the user's account and deletes the phishing email from all mailboxes via Microsoft Graph. This integration reduces response time from hours to minutes. A common mistake is not enabling the Microsoft 365 Defender connector in Sentinel, causing alerts to be missed. Also, if the playbook fails due to Graph API throttling, the account may not be disabled promptly. Fabrikam mitigates this by setting up retry logic in the Logic App.
Scenario 3: Northwind Traders – Compliance and Audit
Northwind Traders, a financial services firm, must retain audit logs for two years for regulatory compliance. They use Sentinel with Office 365 audit logs and set Log Analytics retention to 730 days. They create a workbook that shows all administrative actions in Exchange Online and SharePoint. Sentinel’s built-in ‘Sensitive Data Discovery’ workbook helps identify potential compliance violations. They also use Sentinel’s Fusion analytics to detect advanced attacks. Scaling consideration: At 10 TB of logs per month, they use Azure Storage archives for logs older than 90 days to reduce costs. A frequent issue is that some audit logs (e.g., Teams) are not enabled by default; they must be enabled in the Microsoft 365 Compliance Center. Without that, Sentinel receives incomplete data, leading to compliance gaps.
What MS-900 Tests on Microsoft Sentinel Integration with M365
The MS-900 exam objective 3.1 (Describe the capabilities of Microsoft 365 security solutions) includes Microsoft Sentinel as a SIEM/SOAR solution. Specifically, you need to know:
Sentinel is a cloud-native SIEM (not on-premises).
It ingests data from Microsoft 365 via data connectors.
It uses analytics to detect threats and can automate response via playbooks.
It works alongside Microsoft 365 Defender, not as a replacement.
It is an Azure service, not a Microsoft 365 service, so it has separate licensing and pricing.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong: "Microsoft Sentinel is included with Microsoft 365 E5." *Why chosen:* E5 includes many security features (Defender, Identity Protection), so candidates assume Sentinel is also included. *Reality:* Sentinel is an Azure service with separate pay-as-you-go pricing. E5 does not include Sentinel.
2. Wrong: "Sentinel replaces Microsoft 365 Defender." *Why chosen:* Both provide security monitoring, so candidates think Sentinel makes Defender obsolete. *Reality:* Defender is a suite of endpoint, email, and identity protection tools. Sentinel is a SIEM that aggregates alerts from Defender and other sources. They are complementary.
3. Wrong: "Sentinel can be deployed on-premises." *Why chosen:* Traditional SIEMs are on-premises, so candidates assume Sentinel can be too. *Reality:* Sentinel is cloud-native only. It runs in Azure and cannot be deployed on-premises.
4. Wrong: "Sentinel uses the same analytics as Azure AD Identity Protection." *Why chosen:* Both use machine learning for risk detection. *Reality:* Identity Protection focuses on user sign-in risk; Sentinel can ingest its alerts but uses its own analytics rules and Fusion ML.
Specific Numbers and Terms That Appear on the Exam
Data retention default: 90 days (adjustable up to 2 years).
Pricing: Pay-as-you-go for Log Analytics ingestion; Sentinel has separate per-GB charges.
Connector examples: Azure AD, Office 365, Microsoft 365 Defender.
Playbooks: Built on Azure Logic Apps.
Analytics rules: Use KQL.
Incident severity levels: Low, Medium, High, Critical.
Edge Cases and Exceptions
Sentinel does not ingest data from Microsoft 365 without proper licensing (e.g., Azure AD P1/P2 for sign-in logs).
Some connectors require enabling audit logging in Microsoft 365 first (e.g., Teams audit).
Sentinel can ingest non-Microsoft data via Syslog, CEF, or REST API, but the MS-900 exam focuses on Microsoft 365 sources.
How to Eliminate Wrong Answers
If an answer says Sentinel is on-premises or hybrid, eliminate it.
If an answer says Sentinel is included in any Microsoft 365 subscription, eliminate it (it's a separate Azure service).
If an answer says Sentinel replaces Defender, eliminate it (they work together).
Look for keywords: cloud-native, SIEM, SOAR, data connectors, Log Analytics, playbooks, KQL.
Microsoft Sentinel is a cloud-native SIEM/SOAR solution, not on-premises.
It integrates with Microsoft 365 via pre-built data connectors for Azure AD, Office 365, and Microsoft 365 Defender.
Sentinel uses analytics rules (KQL) to detect threats and creates incidents with severity levels.
Playbooks (Azure Logic Apps) automate response actions like blocking users or resetting passwords.
Data is stored in Log Analytics; default retention is 90 days, up to 730 days.
Sentinel is a separate Azure service with its own pricing; not included in Microsoft 365 E5.
Sentinel complements Microsoft 365 Defender, not replace it.
Common exam traps: confusing Sentinel with Defender, assuming it's on-premises, or thinking it's included in E5.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Sentinel
Cloud-native SIEM/SOAR that aggregates logs from multiple sources.
Provides unified incident management and advanced analytics with KQL.
Supports automated response via playbooks (Azure Logic Apps).
Priced separately as an Azure service (pay-as-you-go).
Integrates with non-Microsoft security tools via connectors.
Microsoft 365 Defender
Suite of endpoint, email, identity, and cloud app security tools.
Provides specialized protection for Microsoft 365 workloads.
Includes automated response within its own scope (e.g., automatic remediation).
Included with Microsoft 365 E5 license.
Focused on Microsoft 365 ecosystem; limited external integration.
Mistake
Microsoft Sentinel is included with Microsoft 365 E5.
Correct
Sentinel is an Azure service with separate pay-as-you-go pricing. Microsoft 365 E5 includes Defender, Identity Protection, and Cloud App Security, but not Sentinel.
Mistake
Sentinel can be deployed on-premises or in a hybrid environment.
Correct
Sentinel is a cloud-native SIEM that runs only in Azure. It can ingest data from on-premises sources via connectors, but the service itself is not deployable on-premises.
Mistake
Sentinel replaces Microsoft 365 Defender.
Correct
Sentinel and Defender are complementary. Defender provides endpoint, email, and identity protection; Sentinel aggregates alerts from Defender and other sources for broader correlation and response.
Mistake
Sentinel automatically responds to all incidents without configuration.
Correct
Sentinel requires you to create playbooks for automated response. Without playbooks, incidents are only detected and displayed for manual investigation.
Mistake
Sentinel stores data indefinitely at no extra cost.
Correct
Log Analytics retention is 90 days by default, extendable to 730 days at additional cost. For longer retention, you must export data to Azure Storage.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No. Microsoft Sentinel is an Azure service with separate pricing (pay-as-you-go for data ingestion and retention). Microsoft 365 E5 includes security tools like Microsoft 365 Defender, Azure AD Identity Protection, and Cloud App Security, but not Sentinel. You can deploy Sentinel to enhance security monitoring by aggregating logs from these E5 services.
Sentinel provides built-in connectors for Azure AD (sign-in and audit logs), Office 365 (Exchange, SharePoint, Teams, OneDrive), Microsoft 365 Defender (alerts from Defender for Endpoint, Office 365, Identity, and Cloud Apps), and Microsoft Cloud App Security. Each connector requires appropriate permissions and licensing (e.g., Azure AD P1/P2 for sign-in logs).
Typical ingestion latency is 5-15 minutes for most Microsoft 365 connectors. Azure AD logs may take up to 15 minutes. If logs are not appearing, check connector status, permissions, and whether the relevant audit logging is enabled in Microsoft 365 (e.g., Teams audit must be enabled in the Compliance Center).
Yes, by using playbooks built on Azure Logic Apps. Playbooks can be triggered automatically by analytics rules or manually. For example, a playbook can disable a user account, reset a password, or block an IP address. You must create and configure the playbook; Sentinel does not automatically respond without them.
Microsoft 365 Defender is a suite of security tools that protect endpoints, email, identity, and cloud apps. It provides alerts and limited automation. Microsoft Sentinel is a SIEM/SOAR that ingests logs from Defender and other sources, correlates them, and provides advanced analytics and automated response. Sentinel complements Defender by giving a broader view and deeper investigation capabilities.
Sentinel pricing is based on data ingestion volume and retention. The first 5 GB per month to Log Analytics is free. Beyond that, pay-as-you-go rates apply: approximately $2.30 per GB for data ingestion, plus Sentinel’s own charge of $0.10 per GB for the SIEM tier and $0.05 per GB for the SOAR tier. Retention beyond 90 days costs extra. Use Azure Cost Management to monitor spending.
Yes. Sentinel can ingest data from on-premises sources via Syslog, Common Event Format (CEF), or REST API connectors. It also has connectors for AWS, Google Cloud, and many third-party security tools. However, the MS-900 exam focuses on Microsoft 365 integration.
You've just covered Microsoft Sentinel Integration with M365 — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?