This chapter covers Microsoft 365 Defender data connectors in Microsoft Sentinel—how they ingest security alerts and raw events from Microsoft 365 Defender components into Sentinel for unified analysis and incident response. This topic is directly tested under SC-200 objective 2.1 (Connect Microsoft services to Microsoft Sentinel) and typically accounts for about 5–8% of exam questions. You will learn the internal mechanism of each connector, configuration steps, health monitoring, and common pitfalls that the exam loves to test.
Jump to a section
Imagine a large corporate mailroom that receives all incoming packages for the entire company. The mailroom (Microsoft 365 Defender) is connected to every department's internal mail system (Microsoft Sentinel). Each package represents a security alert—phishing emails, compromised user accounts, malware detections, etc. The mailroom has specialized scanners: one for emails (Exchange Online Protection), one for endpoints (Microsoft Defender for Endpoint), one for identities (Microsoft Defender for Identity), one for cloud apps (Microsoft Defender for Cloud Apps), and one for sensitive data (Microsoft Purview). When a package arrives, the appropriate scanner inspects it and stamps it with metadata: alert ID, severity, timestamp, and MITRE ATT&CK technique. All stamped packages are then routed to a central sorting table (the unified alerts queue). From there, a secure courier service (the data connector) transports each package to the main corporate security operations center (Microsoft Sentinel). The courier uses a dedicated tunnel (the diagnostic settings pipeline) that ensures no package is lost or tampered with. Once in Sentinel, the packages are unpacked and their data is stored in specific tables (like EmailEvents, DeviceEvents, IdentityLogonEvents) for analysis. If the mailroom's scanner misses a package or the courier is delayed, the SOC cannot see the alert—this is why proper connector configuration is critical. The mailroom also sends a daily manifest (the connector health status) so the SOC knows which packages were delivered and which were delayed.
What Are Microsoft 365 Defender Data Connectors?
Microsoft 365 Defender data connectors are the integration points that allow Microsoft Sentinel to ingest security data from Microsoft 365 Defender services. Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that coordinates protection across:
Microsoft Defender for Endpoint (MDE) — for endpoint detection and response (EDR)
Microsoft Defender for Office 365 (MDO) — for email and collaboration security
Microsoft Defender for Identity (MDI) — for identity threat detection
Microsoft Defender for Cloud Apps (MDCA) — for cloud application security
Microsoft Purview (formerly Microsoft 365 compliance) — for data loss prevention and insider risk
Each of these services generates alerts and, in some cases, raw event data. The connectors bridge these services to Sentinel, enabling cross-domain correlation, unified incident management, and automated response using playbooks.
How Connectors Work Internally
All M365 Defender connectors operate via the diagnostic settings mechanism of the underlying Azure resources or via direct API integration. The key architectural point is that data flows from the M365 Defender service to Sentinel through an Azure Event Hubs namespace or directly via the Log Analytics API under the hood. When you enable a connector, Sentinel creates a data collection rule (DCR) or a diagnostic setting that routes specified logs and events to the Sentinel workspace.
For example, the Microsoft Defender for Endpoint connector uses the MicrosoftGraphSecurity API to fetch alerts. Sentinel polls the API every 5 minutes (default) for new alerts and ingests them into the SecurityAlert table with the provider name MicrosoftDefenderForEndpoint. However, if you want streaming raw events (like device logons, process creation), you must enable the Microsoft Defender for Endpoint raw events connector which uses the Advanced Hunting API. This connector streams data into tables like DeviceEvents, DeviceLogonEvents, DeviceProcessEvents, etc. The raw events connector is billed separately based on data volume.
For Microsoft Defender for Office 365, the connector ingests alerts and email events. The Office 365 connector (now part of the M365 Defender umbrella) uses the Office 365 Management Activity API to fetch audit logs and threat detection data. It populates tables like EmailEvents, EmailUrlInfo, EmailAttachmentInfo, and OfficeActivity. The connector can be configured to ingest only specific record types (e.g., Exchange, SharePoint, Teams).
Microsoft Defender for Identity alerts are ingested via the Microsoft 365 Defender connector (unified) or the legacy Azure ATP connector. The current recommended method is to use the Microsoft 365 Defender connector, which pulls alerts from the unified M365 Defender portal. This connector ingests alerts into the SecurityAlert table with provider name MicrosoftDefenderForIdentity.
Microsoft Defender for Cloud Apps feeds alerts and cloud discovery logs via the Microsoft 365 Defender connector as well. Additionally, there is a dedicated Microsoft Defender for Cloud Apps connector that pulls shadow IT discovery data and alerts. The connector uses the Defender for Cloud Apps API and populates SecurityAlert and McasShadowItReporting tables.
Microsoft Purview connectors (for DLP, insider risk) are also part of the M365 Defender ecosystem. They use the Office 365 Management Activity API and the Microsoft 365 Compliance Center to ingest DLP alerts and insider risk alerts into SecurityAlert and OfficeActivity tables.
Key Components, Values, and Defaults
Connector Health: Each connector has a health status displayed in Sentinel > Data connectors > select connector > View health. Statuses: Connected, Disconnected, Error. Connectors that fail to fetch data for 15 minutes are marked Disconnected. Troubleshooting often involves checking permissions (Global Admin or Security Admin), API throttling (M365 Defender APIs have a limit of 1000 requests per minute per tenant), and diagnostic settings configuration.
Data Retention: Connector data inherits the workspace retention policy (default 90 days, can be extended up to 730 days). Some tables like SecurityEvent may have separate retention settings.
Ingestion Latency: Alert data typically appears within 2–5 minutes of generation. Raw event data (e.g., DeviceEvents) may have up to 15-minute latency depending on the connector and volume.
Cost: Alert ingestion is free for Microsoft 365 Defender alerts (no cost for SecurityAlert entries). Raw event ingestion is billed at the standard Log Analytics ingestion rate (currently ~$2.30/GB for Pay-as-you-go).
Permissions: To configure connectors, you need at least Security Reader on the Sentinel workspace and Global Admin or Security Admin in Azure AD (for M365 Defender APIs). For some connectors like Microsoft Defender for Endpoint, you also need Security Administrator in Microsoft 365 Security Center.
Configuration and Verification Commands
While most configuration is done via the Azure portal, you can use PowerShell or Azure CLI for automation. Example PowerShell to enable Microsoft Defender for Endpoint alerts connector:
$workspace = Get-AzOperationalInsightsWorkspace -Name "YourWorkspace" -ResourceGroupName "YourRG"
$workspaceId = $workspace.CustomerId
# Enable Microsoft Defender for Endpoint connector (alerts)
Add-AzSentinelDataConnector -ResourceGroupName "YourRG" -WorkspaceName "YourWorkspace" -DataConnectorId "MicrosoftDefenderForEndpoint" -DataConnectorKind "MicrosoftDefenderForEndpoint"To verify connector status:
Get-AzSentinelDataConnector -ResourceGroupName "YourRG" -WorkspaceName "YourWorkspace"For raw events, you must enable the Microsoft 365 Defender connector (unified) or configure diagnostic settings in the M365 Defender portal. The unified connector is enabled via:
Add-AzSentinelDataConnector -ResourceGroupName "YourRG" -WorkspaceName "YourWorkspace" -DataConnectorId "MicrosoftThreatProtection" -DataConnectorKind "MicrosoftThreatProtection"Interaction with Related Technologies
Azure Policy: You can use Azure Policy to automatically deploy connectors across multiple workspaces.
Workbooks: Many built-in workbooks rely on M365 Defender data (e.g., Microsoft 365 Defender workbook, MDE workbook). Without the connectors, these workbooks show no data.
Analytics Rules: Custom analytics rules can use M365 Defender data. For example, a rule that correlates DeviceLogonEvents with EmailEvents to detect a user clicking a phishing link and then logging into a compromised endpoint.
Incident Creation: M365 Defender alerts are automatically converted to Sentinel incidents if the Microsoft 365 Defender connector is enabled and the Create incidents toggle is on. This is a common exam point: alerts from MDO, MDE, MDI, and MDCA are unified into a single incident in M365 Defender, and then that incident is synced to Sentinel. If you enable individual connectors, you get separate alerts but not the unified incident, unless you also enable the Microsoft 365 Defender connector.
Step-by-Step: Enabling Microsoft 365 Defender Connector (Unified)
In Sentinel, go to Data connectors.
Search for Microsoft 365 Defender.
Select the connector and click Open connector page.
Under Configuration, click Connect.
Ensure the Create incidents toggle is On to automatically create incidents from unified alerts.
Select which Microsoft 365 Defender components to include: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps. By default, all are selected.
Click Apply changes.
Wait 2–5 minutes, then check the connector health. It should show Connected.
To verify data ingestion, query the SecurityIncident table:
SecurityIncident
| where ProviderName == "Microsoft 365 Defender"
| take 10Trap Patterns on the Exam
Wrong answer: "Enable the Microsoft Defender for Endpoint connector to get raw event data." Reality: The MDE connector only fetches alerts. For raw events, you need the Microsoft 365 Defender connector (or the raw events connector).
Wrong answer: "You must configure diagnostic settings in Azure to stream M365 Defender logs." Reality: M365 Defender connectors use APIs, not diagnostic settings. Only Azure resources (like VMs, Azure Firewall) use diagnostic settings.
Wrong answer: "All M365 Defender data is free." Reality: Alerts are free; raw event data is billed.
Wrong answer: "You need Global Admin to view connector health." Reality: Security Reader on the workspace is sufficient to view health; Global Admin is needed to configure.
Advanced: Connector Health Monitoring
You can monitor connector health using the ConnectorHealth table (preview). Query:
ConnectorHealth
| where ConnectorName contains "Microsoft 365 Defender"
| project TimeGenerated, ConnectorName, Status, Description
| order by TimeGenerated descIf a connector shows Error, common causes:
Expired or revoked permissions (e.g., service principal deleted)
API throttling (rare, but check M365 Defender service health)
Network restrictions (if using private endpoints)
Summary of Connector Types
| Connector | Data Type | Tables | Cost | |-----------|-----------|--------|------| | Microsoft 365 Defender (unified) | Alerts & Incidents | SecurityAlert, SecurityIncident | Free | | Microsoft Defender for Endpoint (raw events) | Raw events | DeviceEvents, DeviceLogonEvents, etc. | Billable | | Microsoft Defender for Office 365 | Email events, alerts | EmailEvents, EmailUrlInfo, SecurityAlert | Billable (email events free? No, billable) | | Microsoft Defender for Identity | Identity alerts | SecurityAlert | Free | | Microsoft Defender for Cloud Apps | Alerts, discovery logs | SecurityAlert, McasShadowItReporting | Free for alerts, billable for discovery |
Note: The exam may ask which tables are populated by which connector. For instance, DeviceEvents comes from MDE raw events, not from the unified connector.
Exam Relevance
Objective 2.1: Connect Microsoft services to Microsoft Sentinel. This includes:
Enabling data connectors for Microsoft 365 Defender
Configuring diagnostic settings for Azure resources
Using the Microsoft 365 Defender connector to unify alerts
Understanding the difference between alert and raw event connectors
Troubleshooting connector health
Expect 2–3 questions on this chapter. Questions often present a scenario (e.g., "You need to ingest email security events and correlate with endpoint alerts") and ask which connectors to enable.
Identify Required Data Sources
Determine which Microsoft 365 Defender components you need to integrate. For example, if you need endpoint raw events (process creation, network connections) and email threat data, you need both the Microsoft 365 Defender unified connector (for alerts) and the Microsoft Defender for Endpoint raw events connector (for raw events) plus the Office 365 connector (for email events). The exam often tests that alerts alone are not sufficient for advanced hunting; raw events are needed for custom analytics rules. Also consider data retention and cost: raw events incur ingestion charges.
Enable the Unified Microsoft 365 Defender Connector
In Sentinel, open Data connectors, search for Microsoft 365 Defender, and click Open connector page. Click Connect, then ensure Create incidents is On. This connector pulls all alerts from MDE, MDO, MDI, and MDCA into the SecurityAlert and SecurityIncident tables. It also provides the unified incident view. Without this connector, individual component connectors only bring alerts, not the unified incident. The exam emphasizes that this connector is the recommended way to ingest M365 Defender alerts because it reduces alert duplication and correlates incidents.
Enable Specific Component Connectors for Raw Events
For raw event data, enable the appropriate connectors: Microsoft Defender for Endpoint (raw events), Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, etc. These connectors stream advanced hunting data into dedicated tables. For example, the MDE raw events connector populates DeviceEvents, DeviceLogonEvents, DeviceProcessEvents, DeviceNetworkEvents, and others. The Office 365 connector populates EmailEvents, EmailUrlInfo, EmailAttachmentInfo, and OfficeActivity. The exam may ask which tables are populated by which connector; knowing these mappings is critical.
Verify Permissions and Licensing
Ensure the account used to enable connectors has at least Security Administrator in Microsoft 365 and Contributor on the Sentinel workspace. Some connectors require Global Admin for initial setup. Also verify that the required licenses are assigned: M365 E5 or standalone licenses for each component (MDE P2, MDO P2, MDI, MDCA). Without proper licensing, the connector may show as connected but ingest no data. The exam tests that licensing is a prerequisite, not just permissions.
Monitor Connector Health and Data Ingestion
After enabling, check the connector health status in the Data connectors blade. Use the ConnectorHealth table to see recent status changes. Query the relevant tables (e.g., DeviceEvents, EmailEvents) to confirm data is flowing. If no data appears, check the ingestion latency (up to 15 minutes) and verify that the M365 Defender service is generating data (e.g., run a test alert). The exam may present a scenario where data is missing, and the correct answer is to check licensing or permissions, not to reinstall the connector.
Enterprise Scenario 1: Phishing Incident Response
A large financial institution uses Microsoft 365 Defender and Sentinel for security operations. They receive a phishing email alert from MDO. The SOC analyst wants to see which endpoints the user accessed after clicking the link. With the Microsoft 365 Defender unified connector, the alert is in Sentinel as an incident. However, to see endpoint raw events, they need the Microsoft Defender for Endpoint raw events connector enabled. Without it, the analyst has to jump to the MDE portal manually. In production, the raw events connector is configured to ingest DeviceNetworkEvents and DeviceProcessEvents. The SOC uses analytics rules that cross-join EmailEvents (from Office 365 connector) with DeviceNetworkEvents to detect lateral movement. The connector is configured with a 30-day retention for raw events to manage costs. A common misconfiguration is enabling the unified connector but forgetting the raw events connector, leading to incomplete investigations. The solution: use Azure Policy to deploy both connectors together.
Enterprise Scenario 2: Insider Threat Detection
A technology company wants to detect data exfiltration by employees. They use Microsoft Purview DLP alerts and Microsoft Defender for Cloud Apps for shadow IT discovery. They enable the Microsoft 365 Defender connector for alerts and the Microsoft Defender for Cloud Apps connector for discovery logs. In production, they ingest McasShadowItReporting to identify unsanctioned cloud apps. They also use the Office 365 connector to monitor OfficeActivity for suspicious file downloads. The connectors are configured with a 90-day retention. Performance consideration: the McasShadowItReporting table can generate large volumes, so they apply a daily cap on the workspace. A common issue is that the connector appears connected but no data flows because the Defender for Cloud Apps license is not assigned to all users. The fix: assign appropriate licenses and verify the connector's data sources in the Defender for Cloud Apps portal.
Scenario 3: Unified Incident Management
A managed security service provider (MSSP) manages multiple tenants. They use Sentinel in a central workspace with multiple data connectors per tenant. They enable the Microsoft 365 Defender unified connector for each tenant to get consolidated incidents. They also enable individual component connectors for raw events on a per-tenant basis. The challenge is managing connector health across tenants. They use the ConnectorHealth table and Azure Monitor alerts to notify when a connector disconnects. A common failure: the service principal used for the connector expires, causing all connectors to fail. The solution: use managed identities where possible and set up renewal reminders. The exam may test that connector health is checked via the portal or the ConnectorHealth table.
SC-200 Objective Codes
This chapter maps to objective 2.1: Connect Microsoft services to Microsoft Sentinel. Specifically, sub-objectives:
Connect Microsoft 365 Defender to Microsoft Sentinel
Configure data connectors for Microsoft 365 Defender services
Manage connector health and data ingestion
Common Wrong Answers and Why Candidates Choose Them
1. Wrong answer: Enable the Microsoft 365 Defender connector to get raw event data. Why chosen: Candidates see 'Microsoft 365 Defender' and assume it includes everything. Reality: The unified connector only ingests alerts and incidents. Raw events require separate connectors (e.g., MDE raw events, Office 365 connector).
2. Wrong answer: Configure diagnostic settings on the M365 Defender service to stream logs to Sentinel. Why chosen: Diagnostic settings are used for Azure resources, but M365 Defender is not an Azure resource—it’s a SaaS service. M365 Defender connectors use APIs, not diagnostic settings. Only Azure resources (like VMs, Azure Firewall) use diagnostic settings.
3. Wrong answer: You need Global Admin to view connector health. Why chosen: Global Admin is often required for configuration, but viewing health only needs Security Reader on the workspace. The exam tests least privilege.
4. Wrong answer: Alerts from MDO, MDE, etc., are automatically correlated into incidents in Sentinel without the Microsoft 365 Defender connector. Why chosen: Candidates think individual connectors create incidents. Reality: Individual connectors create separate alerts. The unified Microsoft 365 Defender connector creates a single incident from correlated alerts across services.
Specific Numbers and Values to Memorize
5 minutes: Default polling interval for alert connectors (not raw events).
15 minutes: Connector marked Disconnected if no data for 15 minutes.
1000 requests per minute: API throttling limit for M365 Defender APIs.
90 days: Default workspace retention (can be up to 730 days).
Tables: SecurityAlert, SecurityIncident, DeviceEvents, EmailEvents, McasShadowItReporting, OfficeActivity.
Edge Cases and Exceptions
Multiple workspaces: You can connect the same M365 Defender tenant to multiple Sentinel workspaces? No, each M365 Defender tenant can only be connected to one Sentinel workspace at a time. This is a common exam trick.
MDE raw events connector: Requires MDE P2 license. If you have P1, you can only get alerts, not raw events.
Office 365 connector: It is not part of the Microsoft 365 Defender connector; it is a separate connector. The exam may ask which connector to use for email events.
How to Eliminate Wrong Answers
If the question asks for 'raw events' or 'advanced hunting data', eliminate any answer that only mentions the unified Microsoft 365 Defender connector.
If the question mentions 'diagnostic settings', eliminate unless the resource is an Azure resource (e.g., Azure Firewall, Azure VM).
If the question asks about 'incident correlation', look for the Microsoft 365 Defender connector with 'Create incidents' enabled.
If the question involves 'cost', remember alerts are free, raw events are billable.
The Microsoft 365 Defender unified connector ingests alerts and incidents only; raw events require separate connectors.
Connector health status is shown in the Data connectors blade; use ConnectorHealth table for automated monitoring.
Diagnostic settings are NOT used for M365 Defender connectors; they are for Azure resources.
The unified connector must have 'Create incidents' enabled to automatically generate incidents from correlated alerts.
Alert ingestion from M365 Defender is free; raw event ingestion is billed at standard Log Analytics rates.
Each M365 Defender tenant can only be connected to one Sentinel workspace at a time.
To ingest email events (e.g., EmailEvents), enable the Office 365 connector, not the unified connector.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft 365 Defender Unified Connector
Ingests alerts and incidents from all M365 Defender services
Creates unified incidents automatically
Free of charge (alert ingestion only)
Requires M365 E5 or equivalent license
Recommended for incident correlation
Individual Component Connectors (e.g., MDE, MDO)
Ingests alerts from a single service (e.g., MDE alerts only)
Does not create unified incidents; each alert is separate
Also free for alerts; raw events connectors are billable
May require standalone licenses (e.g., MDE P2 for raw events)
Used when only specific service data is needed
Mistake
The Microsoft 365 Defender connector brings in all data including raw events.
Correct
It only brings alerts and incidents. Raw events require separate connectors (e.g., MDE raw events, Office 365 connector).
Mistake
You can use diagnostic settings to stream M365 Defender logs to Sentinel.
Correct
M365 Defender is a SaaS service, not an Azure resource. It uses APIs via connectors, not diagnostic settings. Diagnostic settings are for Azure resources.
Mistake
Enabling individual component connectors (e.g., MDE, MDO) creates unified incidents in Sentinel.
Correct
Individual connectors create separate alerts. Only the Microsoft 365 Defender connector (with Create incidents enabled) creates unified incidents that correlate alerts across services.
Mistake
Connector health can only be checked in the Data connectors blade.
Correct
You can also query the ConnectorHealth table in Log Analytics for automated monitoring.
Mistake
All M365 Defender connectors require Global Admin to configure.
Correct
Security Administrator in Microsoft 365 and Contributor on the workspace are sufficient for most connectors. Global Admin is only needed for initial API consent in some cases.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Microsoft 365 Defender connector is a unified connector that ingests alerts and incidents from all M365 Defender services (MDE, MDO, MDI, MDCA) and creates a single incident from correlated alerts. Individual component connectors (e.g., Microsoft Defender for Endpoint) only pull alerts from that specific service and do not correlate across services. For raw event data (e.g., DeviceEvents), you must use the individual raw events connectors (e.g., Microsoft Defender for Endpoint raw events).
Yes, if you want both unified incidents and raw event data. The unified connector gives you incidents and alerts. For raw events (advanced hunting data), you need the individual raw events connectors (e.g., MDE raw events, Office 365 connector). However, the unified connector alone may suffice if you only need alert data.
Common causes: expired permissions (re-consent the API permissions), licensing issues (user or tenant missing required licenses), or network restrictions. Check the connector health description in the portal. Also verify that the service principal used has not been deleted. If the connector was disconnected for more than 15 minutes, it will show as Disconnected.
No. Each M365 Defender tenant can only be connected to one Sentinel workspace. If you need the data in multiple workspaces, you must either use a central workspace or export data from the first workspace to others (e.g., via continuous export).
Alert ingestion from Microsoft 365 Defender connectors is free. However, raw event data (e.g., DeviceEvents, EmailEvents) is billed at the standard Log Analytics ingestion rate. The unified connector only ingests alerts, so it incurs no cost.
The unified connector populates the SecurityAlert and SecurityIncident tables. Raw event tables like DeviceEvents, EmailEvents, etc., are populated by individual raw events connectors.
Use the ConnectorHealth table in Log Analytics. Example query: ConnectorHealth | where ConnectorName contains 'Microsoft 365 Defender' | project TimeGenerated, ConnectorName, Status, Description. You can also set up alerts based on this table.
You've just covered M365 Defender Data Connectors — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?