Share via
David Eyles 1Reputation point
For my customer we are trialing MS Sentinel and trying to connector their AD signin logs but does not seem to connect.
Audit logs are working fine.
So we know we need a P1 or P2 license and that the AD P1 is provided by the M365 Business Premium licenses they have, but still no signin data is connecting or available in Sentinel.
Any ideas why?
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
Sign in to follow
0 commentsNo comments
Sign in to comment
2 answers
Sort by: Most helpful
-
Givary-MSFT 32,311Reputation points • Microsoft Employee
2022-02-17T12:21:59.217+00:00 Thank you reaching out to us. I agree to your statement if you have P1 license, you should be able to ingest sign-in logs into sentinel
Also check the user who is configuring the data connector is Global Admin/Security Admin Role & P1/P2 license assigned to the user.
Also query Log Analytics Workspace for Sign-in logs ?
SigninLogs
| take 1000
| sort by TimeGeneratedDavid Eyles 1Reputation point
2022-02-17T14:19:38.363+00:00 Checked all of these but still no signin data.
We get the audit logs but connector signin shows broken.
Givary-MSFT 32,311Reputation points • Microsoft Employee
2022-02-17T16:00:46.7+00:00 Uncheck the sign in logs from connector page, click apply and re-check the same, if it helps.
Also do you see the sign in logs in your Azure AD portal ?
Sign in to comment
-
Andrew Blumhardt 9,856Reputation points • Microsoft Employee
2022-02-17T12:23:40.17+00:00 You might try checking to confirm user assignment: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups
David Eyles 1Reputation point
2022-02-17T15:22:38.61+00:00 all users have M365 Business Premium assigned
Sign in to comment
Sign in to answer
