This chapter covers Azure Activity Log and Entra ID (formerly Azure AD) connectors for Microsoft Sentinel. These connectors are foundational for ingesting critical logs that reveal resource management actions and identity events, which together enable detection of attacks spanning both control plane and identity plane. On the SC-200 exam, questions on these connectors appear in roughly 5-10% of questions, often testing connector configuration, data types, retention, and troubleshooting. You must understand what each connector ingests, how to enable them, and common misconfigurations that cause data gaps.
Jump to a section
Think of Azure Activity and Entra ID connectors as a hotel's front desk and guest registry system. The hotel has two main sources of information about what happens: the front desk logs (Azure Activity Log) record every action taken by staff or external services—like cleaning a room, fixing an elevator, or delivering luggage. These are operational actions that affect the physical property. Separately, the guest registry (Entra ID audit logs) records every guest check-in, check-out, key card issuance, and room access attempt—these are identity and access events. The hotel's security team (Microsoft Sentinel) needs both logs to understand a security incident. If a guest complains about a missing item, the team checks the front desk log to see which staff entered the room and the guest registry to see when the guest's key was used. Without either source, the investigation is incomplete. In Azure, the Activity Log captures control plane operations (e.g., creating a VM, modifying a network security group), while Entra ID audit logs capture identity events (e.g., user login, group membership change, MFA registration). Sentinel connectors pull both into a unified workspace, allowing correlation across resource and identity events—just as the hotel security team correlates physical access logs with guest activity logs.
What Are Azure Activity and Entra ID Connectors?
Microsoft Sentinel is a cloud-native SIEM and SOAR solution that aggregates logs from various sources. Two of the most critical connectors are:
Azure Activity Log Connector: Ingests subscription-level events from the Azure Activity Log. These events record all control plane operations (management actions) on Azure resources—e.g., creating a VM, deleting a storage account, assigning RBAC roles, or starting a virtual machine. The Activity Log is a platform log in Azure that provides insight into subscription-level events.
Entra ID Connector: Ingests audit logs and sign-in logs from Microsoft Entra ID (formerly Azure Active Directory). Audit logs capture changes to directory objects—e.g., user creation, group membership updates, application registration, and conditional access policy changes. Sign-in logs capture successful and failed user sign-in attempts, including interactive and non-interactive sign-ins.
Both connectors are essential for detecting attacks that combine identity compromise with resource abuse—e.g., an attacker gaining access to a user account and then creating a VM to mine cryptocurrency.
How They Work Internally
Azure Activity Log Connector
The Activity Log is a native Azure service that retains events for 90 days by default. When you enable the connector in Sentinel, it does not copy the logs immediately; instead, it configures a diagnostic setting on the subscription (or a specific resource group) to stream Activity Log events to the Log Analytics workspace used by Sentinel. This is done via the Azure Monitor diagnostic settings API. - The diagnostic setting defines a destination: the Log Analytics workspace. It selects which categories of Activity Log events to stream. The categories are:
- Administrative (all write operations - PUT, POST, DELETE) - Alert (when an Azure alert fires) - Security (events from Azure Security Center or Azure Defender) - Service Health (Azure service health incidents) - Autoscale (autoscale operations) - Recommendation (recommendations from Azure Advisor) - Policy (Azure Policy evaluation events) - Resource Health (resource health status changes)
- For Sentinel, you typically stream the Administrative category because it contains the most security-relevant events (e.g., resource creation, deletion, role assignments).
- Once streamed, events appear in the AzureActivity table in the Log Analytics workspace. Each event includes:
- Caller: the user or service principal that performed the operation.
- OperationName: the operation (e.g., "Microsoft.Compute/virtualMachines/write").
- Status: Succeeded, Failed, or Started.
- EventTimestamp: time of the event.
- ResourceId: the Azure resource identifier.
- Authorization: RBAC details (scope, role, etc.).
- The connector does not require any agent; it uses the Azure platform's built-in diagnostic settings. However, you must have appropriate permissions: Contributor or Owner at the subscription level to create diagnostic settings.
Entra ID Connector
This connector ingests audit and sign-in logs from Microsoft Entra ID. The data is sourced from the Microsoft Graph API (specifically the auditLogs endpoint). Sentinel uses a diagnostic setting on the Entra ID tenant to stream these logs to a Log Analytics workspace. Alternatively, you can use the legacy connector that polls the Graph API directly, but the diagnostic setting method is preferred for reliability and lower latency.
- The diagnostic setting for Entra ID must be configured in the Azure portal > Microsoft Entra ID > Diagnostic settings. You can stream the following log categories:
- AuditLogs: All directory changes (user, group, application, policy changes).
- SignInLogs: All sign-in events (interactive, non-interactive, service principal, managed identity sign-ins).
- NonInteractiveUserSignInLogs: Sign-ins performed by clients on behalf of users without user interaction.
- ServicePrincipalSignInLogs: Sign-ins by service principals.
- ManagedIdentitySignInLogs: Sign-ins by managed identities.
- ProvisioningLogs: User provisioning events.
- ADFSSignInLogs: Sign-ins from Active Directory Federation Services (ADFS) if integrated.
- RiskyUsers: Users flagged as risky by Identity Protection.
- UserRiskEvents: Risk detections for users.
- For security monitoring, you typically stream AuditLogs, SignInLogs, and NonInteractiveUserSignInLogs because they cover most identity-based attacks.
- The logs appear in the AuditLogs and SignInLogs tables in the workspace. Each record includes:
- UserPrincipalName: the user who performed the action or signed in.
- Operation: the operation (e.g., "Add user", "Update user").
- Result: Success or Failure.
- TimeGenerated: timestamp.
- IPAddress: the source IP address.
- AppDisplayName: the application used.
- The connector requires Global Administrator or Security Administrator permissions to configure the diagnostic setting. After configuration, logs stream with a latency of typically 2-5 minutes for audit logs and 5-10 minutes for sign-in logs.
Key Components, Defaults, and Timers
Azure Activity Log retention: 90 days in the Activity Log service. When streamed to Log Analytics, retention is governed by the workspace retention setting (default 30 days for free tier, up to 730 days for paid tiers).
Entra ID log retention: Audit logs are retained for 30 days (with Premium P1/P2, up to 30 days for audit and 30 days for sign-ins; with all licenses, audit logs up to 30 days, sign-ins up to 30 days). When streamed to Log Analytics, retention is as per workspace setting.
Diagnostic settings: Can be configured at subscription level (for Activity Log) or tenant level (for Entra ID). You can stream to multiple destinations (e.g., Log Analytics, Event Hubs, Storage Account).
Data volume: Activity Log events are typically low volume (hundreds per day for a small subscription). Entra ID logs can be high volume (thousands to millions per day depending on user count and activity).
Cost: Ingesting these logs into Log Analytics incurs data ingestion charges. Activity Log is usually free for the first 5 GB/month per workspace (as part of Azure Monitor free tier). Entra ID logs are billed at standard Log Analytics ingestion rates.
Configuration and Verification Commands
Azure Activity Log Connector
In Sentinel, under Data connectors, select "Azure Activity" and click "Open connector page".
Click "Connect" to configure the diagnostic setting at the subscription level. This creates a diagnostic setting named MicrosoftSentinel-ActivityLog (or similar).
Verify by querying:
AzureActivity
| take 10If no data appears, check that the diagnostic setting exists:
az monitor diagnostic-settings list --subscription <subscription-id>Entra ID Connector
In Sentinel, under Data connectors, select "Azure Active Directory" (now labeled "Microsoft Entra ID").
Click "Open connector page".
Click "Connect" to configure the diagnostic setting. You must be a Global Admin or Security Admin.
Select the log categories (AuditLogs, SignInLogs, etc.) and the workspace.
Verify by querying:
AuditLogs
| take 10Or:
SignInLogs
| take 10If data is missing, verify the diagnostic setting in Entra ID > Diagnostic settings. Also ensure that the workspace is in the same tenant as Entra ID (cross-tenant streaming is not supported).
Interaction with Related Technologies
Azure Policy: Activity Log events can trigger Azure Policy evaluation (e.g., when a resource is created, Policy checks compliance).
Azure Monitor Alerts: You can create alerts on Activity Log events (e.g., when a VM is created).
Microsoft Defender for Cloud: Security events from Defender for Cloud appear in the Activity Log (Security category).
Identity Protection: Entra ID logs include risk events that can be used by Identity Protection to trigger conditional access.
Sentinel Analytics Rules: Both connectors feed into analytics rules. For example, a rule can detect when a user creates a VM after a failed sign-in attempt from a new location.
Common Issues and Troubleshooting
No data in AzureActivity table: Check that the diagnostic setting exists at the subscription level. Check that the workspace is in the same region as the subscription (some regions require same region). Check permissions.
No data in AuditLogs or SignInLogs: Verify diagnostic setting in Entra ID. Ensure you have Global Admin or Security Admin. Check that the workspace is in the same tenant. Wait up to 15 minutes for first data.
Duplicate events: If you have multiple diagnostic settings streaming the same logs to the same workspace, you may get duplicates. This is rare but possible.
Missing categories: If you only stream Administrative category, you won't see Security or Service Health events. Adjust the diagnostic setting to include required categories.
Enable Azure Activity Log Connector
In Sentinel, navigate to Data connectors and select 'Azure Activity'. Click 'Open connector page'. Click 'Connect' to create a diagnostic setting at the subscription level that streams all Administrative events to the Log Analytics workspace. This requires Contributor or Owner permissions on the subscription. The connector does not require an agent. After connection, the diagnostic setting is automatically named 'MicrosoftSentinel-ActivityLog' and can be viewed in Azure Monitor > Diagnostic settings. Data starts flowing within minutes.
Verify Azure Activity Log Ingestion
After enabling the connector, run a KQL query to verify data: `AzureActivity | take 10`. If no results appear after 15 minutes, check the diagnostic setting exists using Azure CLI: `az monitor diagnostic-settings list --subscription <subscription-id>`. Also confirm that the workspace is in the same region as the subscription. Check that the subscription is not excluded by Azure Policy. Common issue: the diagnostic setting may be accidentally deleted or misconfigured to stream only certain categories.
Enable Entra ID Connector
In Sentinel, select 'Microsoft Entra ID' connector. Click 'Open connector page'. Click 'Connect' to configure a diagnostic setting in Microsoft Entra ID. You must be a Global Administrator or Security Administrator. Select the log categories: AuditLogs, SignInLogs, NonInteractiveUserSignInLogs. Choose the Log Analytics workspace. The diagnostic setting will stream logs to the workspace. Note: This requires a Microsoft Entra ID P1 or P2 license to access audit logs; sign-in logs require P1/P2 for certain details.
Verify Entra ID Log Ingestion
After enabling the connector, query the tables: `AuditLogs | take 10` and `SignInLogs | take 10`. Data may take up to 15 minutes to appear. If no data, check the diagnostic setting in Entra ID > Diagnostic settings. Ensure the workspace is in the same tenant (cross-tenant streaming is not supported). Also verify that the logs are not being filtered by a diagnostic setting that only includes certain categories. Check Azure service health for any known issues with Entra ID log streaming.
Configure Retention and Cost Monitoring
By default, Log Analytics retains data for 30 days (or 90 days for some tiers). Adjust retention in the workspace settings to meet compliance needs. Monitor data ingestion volume using the `Usage` table: `Usage | where TimeGenerated > ago(30d) | summarize sum(Quantity) by DataType`. Set budget alerts to avoid unexpected costs. Note that Entra ID logs can be high volume; consider filtering out non-essential sign-in logs (e.g., non-interactive) if not needed.
Enterprise Scenario 1: Detecting Privilege Escalation via Azure Activity and Entra ID
A large enterprise uses Sentinel to monitor for privilege escalation attacks. An attacker compromises a low-privileged user account through phishing. The attacker then uses Azure PowerShell to assign themselves a Contributor role on a subscription. The Azure Activity Log captures the role assignment operation (Microsoft.Authorization/roleAssignments/write) with the caller's UPN. Simultaneously, the Entra ID audit log captures the change to the user's directory object (if the role assignment involved a group membership change). Sentinel's analytics rule correlates the two: a user who has never performed role assignments suddenly does so from an unusual IP. The rule triggers an incident. Without both connectors, the detection would miss the role assignment (Activity Log) or the user context (Entra ID). In production, the enterprise streams all Administrative events and all AuditLogs and SignInLogs. They also enable UserRiskEvents to catch risky sign-ins. Performance considerations: they use a Log Analytics workspace with a 90-day retention and set daily ingestion cap to avoid cost spikes.
Enterprise Scenario 2: Investigating a Data Exfiltration via Storage Account
A company suspects data exfiltration from a storage account. The security team uses Sentinel to investigate. They query the AzureActivity table for any write operations to the storage account (e.g., Microsoft.Storage/storageAccounts/listKeys/action). They find that a service principal accessed the storage account keys. Then they query the SignInLogs table to see if that service principal had any unusual sign-ins (e.g., from an unexpected IP). They find that the service principal signed in from a known attacker IP. They also check AuditLogs to see if the service principal's permissions were changed recently. This investigation relies on both connectors. Common misconfiguration: if the diagnostic setting for Entra ID does not include ServicePrincipalSignInLogs, the investigation would miss the service principal sign-in. In production, they stream all sign-in log categories.
Enterprise Scenario 3: Compliance Monitoring for Resource Deletion
A regulated industry must track all resource deletions. They use the Azure Activity Log connector to capture delete operations (e.g., Microsoft.Compute/virtualMachines/delete). They also use Entra ID audit logs to see who performed the deletion. They set up Sentinel analytics rules to alert on any deletion outside business hours. They also archive Activity Logs to a storage account for long-term retention (beyond the 90-day default). Performance: they use Azure Policy to enforce diagnostic settings on all subscriptions. Common issue: if a subscription is moved to a new tenant, the diagnostic setting breaks and must be recreated. They monitor the connector health using Sentinel's data connectors health monitoring feature.
What SC-200 Tests on This Topic (Objective 2.1)
Objective 2.1: "Connect data sources to Microsoft Sentinel by using data connectors." Specifically, you must know:
How to enable the Azure Activity and Entra ID connectors.
The permissions required (Contributor/Owner for Activity Log; Global Admin/Security Admin for Entra ID).
The tables created: AzureActivity, AuditLogs, SignInLogs.
The log categories available for each connector.
How to verify data ingestion using KQL queries.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong answer: "The Azure Activity Log connector requires a Log Analytics agent on each resource." Why: Candidates confuse Activity Log with resource diagnostic logs (e.g., VM metrics). The Activity Log is a subscription-level log that does not require any agent. It uses diagnostic settings.
2. Wrong answer: "Entra ID connector can be enabled by any user with Security Reader role." Why: Security Reader can view logs but cannot create diagnostic settings. The connector requires Global Admin or Security Admin to configure the diagnostic setting in Entra ID.
3. Wrong answer: "Both connectors stream data to the 'AzureActivity' table."
Why: Only Activity Log uses the AzureActivity table. Entra ID logs use AuditLogs and SignInLogs tables. Candidates may mix them up.
4. Wrong answer: "You can stream Entra ID logs to a Log Analytics workspace in a different tenant." Why: Cross-tenant streaming is not supported for Entra ID diagnostic settings. The workspace must be in the same tenant.
Specific Numbers, Values, and Terms That Appear Verbatim on the Exam
Default retention: Activity Log 90 days; Entra ID audit logs 30 days (with P1/P2).
Tables: AzureActivity, AuditLogs, SignInLogs.
Permissions: Contributor/Owner for Activity Log; Global Admin or Security Admin for Entra ID.
Log categories: Administrative (Activity Log); AuditLogs, SignInLogs (Entra ID).
Latency: 2-5 minutes for audit, 5-10 minutes for sign-in.
Edge Cases and Exceptions the Exam Loves to Test
What if the subscription is moved? The diagnostic setting is not automatically moved; it breaks and must be recreated.
What if the workspace is deleted and recreated? The diagnostic setting points to the old workspace; you must update it.
Can you stream Activity Logs from multiple subscriptions to one workspace? Yes, you can create diagnostic settings on each subscription pointing to the same workspace.
Can you stream Entra ID logs to multiple workspaces? Yes, you can add multiple destinations in the diagnostic setting.
What if you have both free and paid tiers of Entra ID? Audit logs are only available with P1/P2; sign-in logs require P1/P2 for full details.
How to Eliminate Wrong Answers Using the Underlying Mechanism
If a question asks about ingesting resource management actions (e.g., creating a VM), the answer should involve the Azure Activity Log connector, not Entra ID.
If a question asks about user sign-in failures, the answer should involve the Entra ID connector (SignInLogs).
If a question asks about permissions needed, remember: creating diagnostic settings requires write permissions on the resource (subscription or tenant). So Contributor/Owner for subscription-level settings, Global Admin/Security Admin for tenant-level settings.
If a question asks about data retention, remember that the default retention in Log Analytics is configurable; the 90-day and 30-day defaults are for the source service, not the workspace.
Azure Activity Log connector ingests subscription-level control plane events into the `AzureActivity` table using diagnostic settings.
Entra ID connector ingests audit and sign-in logs into `AuditLogs` and `SignInLogs` tables using diagnostic settings on the tenant.
Permissions required: Contributor/Owner for Activity Log; Global Admin or Security Admin for Entra ID.
No agents are required for either connector; both use Azure platform diagnostic settings.
Default retention: Activity Log 90 days in source, Entra ID logs 30 days in source (with P1/P2).
Cross-tenant streaming is not supported for Entra ID diagnostic settings; workspace must be in same tenant.
To verify data ingestion, use KQL queries: `AzureActivity | take 10`, `AuditLogs | take 10`, `SignInLogs | take 10`.
Common misconfiguration: missing log categories (e.g., only streaming Administrative but not Security events).
The connectors are foundational for detecting attacks that combine identity compromise with resource abuse.
Cost: data ingestion charges apply; Activity Log is often free within first 5 GB/month per workspace.
These come up on the exam all the time. Here's how to tell them apart.
Azure Activity Log Connector
Captures control plane operations on Azure resources (e.g., create VM, assign role).
Streams data to the `AzureActivity` table in Log Analytics.
Requires Contributor or Owner permissions on the subscription.
Log retention in source is 90 days; in workspace configurable.
Low to moderate data volume (hundreds to thousands of events per day per subscription).
Entra ID Connector
Captures identity events (user sign-ins, directory changes, application operations).
Streams data to `AuditLogs` and `SignInLogs` tables (and others).
Requires Global Administrator or Security Administrator permissions on the tenant.
Log retention in source is 30 days (with P1/P2); in workspace configurable.
High data volume (thousands to millions of events per day depending on user count).
Mistake
The Azure Activity Log connector requires an agent installed on each Azure resource.
Correct
No agent is needed. The connector uses Azure Monitor diagnostic settings to stream the subscription-level Activity Log directly to the Log Analytics workspace. This is a platform-level streaming mechanism, not an agent-based collection.
Mistake
The Entra ID connector can be enabled by any user with the Security Reader role.
Correct
Security Reader can view logs but cannot create diagnostic settings. To enable the connector, you need Global Administrator or Security Administrator permissions to configure the diagnostic setting in Microsoft Entra ID.
Mistake
Both connectors stream data into the same table in Log Analytics.
Correct
The Azure Activity Log connector streams data into the `AzureActivity` table. The Entra ID connector streams audit logs into the `AuditLogs` table and sign-in logs into the `SignInLogs` table. They are separate tables.
Mistake
You can stream Entra ID logs to a Log Analytics workspace in a different Azure tenant.
Correct
Cross-tenant streaming is not supported for Entra ID diagnostic settings. The workspace must be in the same tenant as the Entra ID directory. This is a limitation of the diagnostic settings feature.
Mistake
The Azure Activity Log connector captures all operations on Azure resources, including data plane operations like reading a blob.
Correct
The Activity Log captures only control plane operations (management actions) such as creating a VM or deleting a storage account. Data plane operations (e.g., reading a blob, writing to a SQL database) are not captured. For data plane logs, you need resource diagnostic settings or resource-specific logs.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You need at least Contributor permissions on the subscription (or Owner) to create diagnostic settings. The diagnostic setting is created at the subscription level to stream Activity Log events to the Log Analytics workspace. If you only have Reader permissions, you cannot enable the connector. On the exam, remember that Contributor is the minimum role.
The Entra ID connector streams logs into several tables depending on the categories selected. The most common are `AuditLogs` (directory changes) and `SignInLogs` (user sign-ins). Other tables include `NonInteractiveUserSignInLogs`, `ServicePrincipalSignInLogs`, `ManagedIdentitySignInLogs`, `ProvisioningLogs`, `ADFSSignInLogs`, `RiskyUsers`, and `UserRiskEvents`. You can query these tables in Log Analytics using KQL.
For the Azure Activity Log connector, data usually starts flowing within 5-10 minutes. For the Entra ID connector, audit logs appear within 2-5 minutes, and sign-in logs within 5-10 minutes. However, it can take up to 15 minutes for the first batch of data to appear. If you see no data after 15 minutes, check the diagnostic settings and permissions.
Yes, you can create diagnostic settings on each subscription that point to the same Log Analytics workspace. This aggregates all Activity Log events into the `AzureActivity` table in that workspace. This is common in enterprises with many subscriptions. Ensure you have appropriate permissions on each subscription.
The Azure Activity Log retains events for 90 days in the source service. Entra ID retains audit logs for 30 days (with a P1 or P2 license; without premium, only 7 days of audit logs are available). Sign-in logs are retained for 30 days with P1/P2. After streaming to Log Analytics, retention is governed by the workspace retention setting (default 30 days, configurable up to 730 days).
Possible reasons: (1) The diagnostic setting in Entra ID may not include the AuditLogs category. (2) You may not have the required permissions (Global Admin or Security Admin) to configure the setting. (3) The Log Analytics workspace might be in a different tenant. (4) There may be a temporary service issue. Check the diagnostic setting in the Entra ID portal and ensure the workspace is in the same tenant. Also verify that you have a valid Entra ID P1 or P2 license.
No. The Azure Activity Log only captures control plane operations (management plane) such as creating, deleting, or modifying Azure resources. Data plane operations (e.g., reading a blob, writing to a SQL database, sending a message to a queue) are not captured in the Activity Log. For data plane logs, you need to enable diagnostic settings on the specific resource (e.g., storage account diagnostic settings) or use resource-specific logs.
You've just covered Azure Activity and Entra ID Connectors — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?