Microsoft Entra ID

Samurai [Local] Collector	Samurai [Cloud] Collector

This guide describes the steps required to configure a Microsoft Entra ID to send logs to a Storage account for ingestion to Samurai via a cloud collector.

Prerequisites

Ensure that a cloud collector has been deployed via the Samurai MDR portal.

Guide available here

The storage account created via the cloud collector needs to reside in the same region as the telemetry sources which will be ingested into the Samurai platform. For ingesting telemetry from multiple regions you need to create additional cloud collector(s) for each region.

Take note of the name of the storage account created and which subscription it resides in. This will be used later when setting up the telemetry sources.

If you are planning to reuse an already deployed cloud collector, the information about the created storage account and subscription can be found via:

Navigate to the Samurai MDR portal.
Click Telemetry and select Collectors from the main menu
Click on the name of the desired collector.
Note down information about the:
1. Subscription
2. Storage account name

Alternatively, you can utilize the integration setup wizard via the Samurai MDR portal for the desired telemetry source listed on Product Integration Guide page which shall provide you the same information required to setup your telemetry source.

Enabling Entra ID activity logs

Follow the vendor documentation guide to archive Microsoft Entra logs to an Azure storage account:

How to archive Microsoft Entra activity logs to an Azure storage account

When following the vendor documentation, please perform the following adjustments:

Select the following log categories
- AuditLogs
- SignInLogs
- NonInteractiveUserSignInLogs
- ServicePrincipalSignInLogs
- ManagedIdentitiySignInLogs
- ProvisioningLogs
- ADFSSignInLogs
Please note NonInteractiveUserSignInLogs may cause high log volume
Ensure when configuring the Storage Account setting that it’s referencing the storage account that was setup during the creation of the cloud collector.
Ensure the retention period aligns with your storage policies however we recommend at minimum 7 days.

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.