How to Enable Two New Logs to Monitor for Azure Active Directory in Microsoft Sentinel

There are three new logs available for Azure Active Directory, but only two are currently populating data. Once enabled they will generate the following new tables:

AADServicePrincipalRiskEvents – Logs generated by identity protection for Azure AD service principal risk events.

AADRiskyServicePrincipals – Logs generated by identity protection for Azure AD risky service principals.

NetworkAccessTrafficLogsdetails still being surfacedcheck back

To enable these for access in Microsoft Sentinel…

  1. Locate the Diagnostic Settings section in the Azure Active Directory service.
  2. Find the Diagnostic Setting that is pointing to the Log Analytics workspace for your Microsoft Sentinel environment.
  3. Edit the current Diagnostic Setting and enable the three new logs.
Enable the new tables


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]


Leave a Reply