Microsoft Entra ID

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.

ProductSamurai [Local] CollectorSamurai [Cloud] CollectorSamurai [Cloud Native] Collector
Microsoft Entra IDPicture1.svg

This guide describes the steps required to configure a Microsoft Entra ID to send logs to Samurai via a cloud native collector.

Prerequisites

Ensure that a cloud native collector has been deployed via the Samurai portal.

mceclip0.png The storage account created via the cloud native collector needs to reside in the same region as the telemetry sources which will be ingested into the Samurai platform. For ingesting telemetry from multiple regions you need to create additional cloud native collector(s) for each region.

Take note of the name of the storage account created and which subscription it resides in. This will be used later when setting up the telemetry sources.

If you are planning to reuse an already deployed cloud native collector, the information about the created storage account and subscription can be found via:

  1. Navigate to the Samurai Portal.
  2. On the left navigation pane, click Collectors.
  3. Click on the name of the desired collector.
  4. Note down information about the:
    1. Subscription
    2. Storage account name

Alternatively, you can utilize the integration setup wizard via the Samurai portal for the desired telemetry source listed on Product Integration Guide page which shall provide you the same information required to setup your telemetry source.

Enabling Entra ID activity logs

Follow the vendor documentation guide to archive Microsoft Entra logs to an Azure storage account:

When following the vendor documentation, please perform the following adjustments:

  • Select the following log categories

    • AuditLogs
    • SignInLogs
    • NonInteractiveUserSignInLogs
    • ServicePrincipalSignInLogs
    • ManagedIdentitiySignInLogs
    • ProvisioningLogs
    • ADFSSignInLogs

  • Please note NonInteractiveUserSignInLogs may cause high log volume

  • Ensure when configuring the Storage Account setting that it’s referencing the storage account that was setup during the creation of the cloud native collector.

  • Ensure the retention period aligns with your storage policies however we recommend at minimum 7 days.

mceclip0.png For general information on Integrations refer to the Integrations article.