Microsoft Entra ID solution for Sentinel

Solution: Microsoft Entra ID

Microsoft Entra ID Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com/
Categories	domains
Version	3.3.11
Author	Microsoft - support@microsoft.com
First Published	2022-05-16
Last Updated	2026-04-15
Solution Folder	Microsoft Entra ID
Marketplace	Azure Marketplace · Rating: ★★★☆☆ 2.7/5 (3 ratings) · Popularity: 🟢 High (95%)

The Microsoft Entra ID solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID Audit, Sign-in, Provisioning, Risk Events and Risky User/Service Principal logs using Diagnostic Settings into Microsoft Sentinel.

Additional Information

📖 Setup Guide: Microsoft Entra connector - Connect Microsoft Entra ID logs to Microsoft Sentinel

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s):

Microsoft Entra ID

Tables Used

This solution uses 13 table(s):

Table	Used By Connectors	Used By Content
`AADManagedIdentitySignInLogs`	Microsoft Entra ID	-
`AADNonInteractiveUserSignInLogs`	Microsoft Entra ID	Analytics, Workbooks
`AADProvisioningLogs`	Microsoft Entra ID	-
`AADRiskyServicePrincipals`	Microsoft Entra ID	Workbooks
`AADRiskyUsers`	Microsoft Entra ID	-
`AADServicePrincipalRiskEvents`	Microsoft Entra ID	Workbooks
`AADServicePrincipalSignInLogs`	Microsoft Entra ID	Analytics, Workbooks
`AADUserRiskEvents`	Microsoft Entra ID	-
`ADFSSignInLogs`	Microsoft Entra ID	Analytics
`AuditLogs`	Microsoft Entra ID	Analytics, Workbooks
`DeviceInfo`	-	Analytics
`NetworkAccessTraffic`	Microsoft Entra ID	-
`SigninLogs`	Microsoft Entra ID	Analytics, Workbooks

Internal Tables

The following 3 table(s) are used internally by this solution's content items:

Table	Used By Connectors	Used By Content
`Anomalies`	-	Analytics
`BehaviorAnalytics`	-	Analytics
`IdentityInfo`	-	Analytics

Content Items

This solution includes 88 content item(s):

Content Type	Count
Analytic Rules	73
Playbooks	11
Workbooks	3
Watchlists	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Account Created and Deleted in Short Timeframe	High	InitialAccess	`AuditLogs`
Account created or deleted by non-approved user	Medium	InitialAccess	`AuditLogs`
Admin promotion after Role Management Application Permission Grant	High	PrivilegeEscalation, Persistence	`AuditLogs`
Anomalous sign-in location by user account and authenticating application	Medium	InitialAccess	`AADNonInteractiveUserSignInLogs` `SigninLogs` Internal use: `Anomalies`
Attempt to bypass conditional access rule in Microsoft Entra ID	Low	InitialAccess, Persistence	-
Attempts to sign in to disabled accounts	Medium	InitialAccess	-
Authentication Methods Changed for Privileged Account	High	Persistence	`AuditLogs` Internal use: `IdentityInfo`
Azure Portal sign in from another Azure Tenant	Medium	InitialAccess	-
Azure RBAC (Elevate Access)	High	PrivilegeEscalation	`AuditLogs`
Brute Force Attack against GitHub Account	Medium	CredentialAccess	Internal use: `Anomalies`
Brute force attack against Azure Portal	Medium	CredentialAccess	-
Brute force attack against a Cloud PC	Medium	CredentialAccess	`SigninLogs`
Bulk Changes to Privileged Account Permissions	High	PrivilegeEscalation	`AuditLogs`
Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed)	Low	DefenseEvasion	`AuditLogs`
Conditional Access - A Conditional Access app exclusion has changed	Low	CommandAndControl	`AuditLogs`
Conditional Access - A Conditional Access policy was deleted	Low	DefenseEvasion	`AuditLogs`
Conditional Access - A Conditional Access policy was disabled	Low	DefenseEvasion	`AuditLogs`
Conditional Access - A Conditional Access policy was put into report-only mode	Low	DefenseEvasion	`AuditLogs`
Conditional Access - A Conditional Access policy was updated	Informational	DefenseEvasion	`AuditLogs`
Conditional Access - A Conditional Access user/group/role exclusion has changed	High	Persistence, DefenseEvasion, CredentialAccess	`AuditLogs`
Conditional Access - A new Conditional Access policy was created	Informational	DefenseEvasion	`AuditLogs`
Conditional Access - Dynamic Group Exclusion Changes	High	PrivilegeEscalation	`AuditLogs`
Credential added after admin consented to Application	Medium	CredentialAccess, Persistence, PrivilegeEscalation	`AuditLogs`
Cross-tenant Access Settings Organization Added	Medium	InitialAccess, Persistence, Discovery	`AuditLogs`
Cross-tenant Access Settings Organization Deleted	Medium	InitialAccess, Persistence, Discovery	`AuditLogs`
Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed	Medium	InitialAccess, Persistence, Discovery	`AuditLogs`
Cross-tenant Access Settings Organization Inbound Direct Settings Changed	Medium	InitialAccess, Persistence, Discovery	`AuditLogs`
Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed	Medium	InitialAccess, Persistence, Discovery	`AuditLogs`
Cross-tenant Access Settings Organization Outbound Direct Settings Changed	Medium	InitialAccess, Persistence, Discovery	`AuditLogs`
Distributed Password cracking attempts in Microsoft Entra ID	Medium	CredentialAccess	-
External guest invitation followed by Microsoft Entra ID PowerShell signin	Medium	InitialAccess, Persistence, Discovery	`AADNonInteractiveUserSignInLogs` `AuditLogs` `SigninLogs`
Failed login attempts to Azure Portal	Low	CredentialAccess	-
First access credential added to Application or Service Principal where no credential was present	High	DefenseEvasion	`AuditLogs`
GitHub Signin Burst from Multiple Locations	Medium	CredentialAccess	-
Guest accounts added in Entra ID Groups other than the ones specified	High	InitialAccess, Persistence, Discovery	`AuditLogs`
MFA Rejected by User	Medium	InitialAccess	`SigninLogs` Internal use: `BehaviorAnalytics` `IdentityInfo`
MFA Spamming followed by Successful login	High	CredentialAccess	`SigninLogs`
Mail.Read Permissions Granted to Application	Medium	Persistence	`AuditLogs`
Microsoft Entra ID PowerShell accessing non-Entra ID resources	Low	InitialAccess	-
Microsoft Entra ID Role Management Permission Grant	High	Persistence, Impact	`AuditLogs`
Modified domain federation trust settings	High	CredentialAccess, Persistence, PrivilegeEscalation	`AuditLogs`
Multiple admin membership removals from newly created admin.	Medium	Impact	`AuditLogs`
NRT Authentication Methods Changed for VIP Users	Medium	Persistence	`AuditLogs`
NRT First access credential added to Application or Service Principal where no credential was present	Medium	DefenseEvasion	`AuditLogs`
NRT Modified domain federation trust settings	High	CredentialAccess, Persistence, PrivilegeEscalation	`AuditLogs`
NRT New access credential added to Application or Service Principal	Medium	DefenseEvasion	`AuditLogs`
NRT PIM Elevation Request Rejected	High	Persistence	`AuditLogs`
NRT Privileged Role Assigned Outside PIM	Low	PrivilegeEscalation	`AuditLogs`
NRT User added to Microsoft Entra ID Privileged Groups	Medium	Persistence, PrivilegeEscalation	`AuditLogs`
New User Assigned to Privileged Role	High	Persistence	`AuditLogs`
New access credential added to Application or Service Principal	Medium	DefenseEvasion	`AuditLogs`
New onmicrosoft domain added to tenant	Medium	ResourceDevelopment	`AuditLogs`
PIM Elevation Request Rejected	High	Persistence	`AuditLogs`
Password spray attack against ADFSSignInLogs	Medium	CredentialAccess	`ADFSSignInLogs`
Password spray attack against Microsoft Entra ID Seamless SSO	Medium	CredentialAccess	`AADNonInteractiveUserSignInLogs` `SigninLogs`
Password spray attack against Microsoft Entra ID application	Medium	CredentialAccess	-
Possible SignIn from Azure Backdoor	Medium	Persistence	`AuditLogs` `SigninLogs`
Privileged Accounts - Sign in Failure Spikes	High	InitialAccess	Internal use: `Anomalies` `IdentityInfo`
Privileged Role Assigned Outside PIM	Low	PrivilegeEscalation	`AuditLogs`
Rare application consent	Medium	Persistence, PrivilegeEscalation	`AuditLogs`
Sign-ins from IPs that attempt sign-ins to disabled accounts	Medium	InitialAccess, Persistence	Internal use: `BehaviorAnalytics`
Successful logon from IP and failure from a different IP	Medium	CredentialAccess, InitialAccess	Internal use: `BehaviorAnalytics` `IdentityInfo`
Suspicious Entra ID Joined Device Update	Medium	CredentialAccess	`AuditLogs`
Suspicious Service Principal creation activity	Low	CredentialAccess, PrivilegeEscalation, InitialAccess	`AADServicePrincipalSignInLogs` `AuditLogs`
Suspicious Sign In Followed by MFA Modification	Medium	InitialAccess, DefenseEvasion	`AuditLogs` Internal use: `BehaviorAnalytics`
Suspicious application consent for offline access	Low	CredentialAccess	`AuditLogs`
Suspicious application consent similar to O365 Attack Toolkit	High	CredentialAccess, DefenseEvasion	`AuditLogs`
Suspicious application consent similar to PwnAuth	Medium	CredentialAccess, DefenseEvasion	`AuditLogs`
User Accounts - Sign in Failure due to CA Spikes	Medium	InitialAccess	Internal use: `Anomalies` `BehaviorAnalytics` `IdentityInfo`
User Assigned New Privileged Role	High	Persistence	`AuditLogs`
User added to Microsoft Entra ID Privileged Groups	Medium	Persistence, PrivilegeEscalation	`AuditLogs`
[Deprecated] Explicit MFA Deny	Medium	CredentialAccess	`DeviceInfo`
full_access_as_app Granted To Application	Medium	DefenseEvasion	`AuditLogs`

Workbooks

Name	Tables Used
AzureActiveDirectoryAuditLogs	`AuditLogs`
AzureActiveDirectorySignins	`AADNonInteractiveUserSignInLogs` `SigninLogs`
ConditionalAccessSISM	`AADRiskyServicePrincipals` `AADServicePrincipalRiskEvents` `AADServicePrincipalSignInLogs` `AuditLogs` `SigninLogs`

Playbooks

Name	Description	Tables Used
Block Entra ID user - Incident	For each account entity included in the incident, this playbook will disable the user in Microsoft E...	-
Block Microsoft Entra ID user - Alert	For each account entity included in the alert, this playbook will disable the user in Microsoft Entr...	-
Block Microsoft Entra ID user - Entity trigger	This playbook disables the selected user (account entity) in Microsoft Entra ID. If this playbook tr...	-
Prompt User - Alert	This playbook will ask the user if they completed the action from the alert in Microsoft Sentinel. I...	-
Prompt User - Incident	This playbook will ask the user if they completed the action from the Incident in Microsoft Sentinel...	-
Reset Microsoft Entra ID User Password - Alert Trigger	This playbook will reset the user password using Graph API. It will send the password (which is a ra...	-
Reset Microsoft Entra ID User Password - Entity trigger	This playbook will reset the user password using Graph API. It will send the password (which is a ra...	-
Reset Microsoft Entra ID User Password - Incident Trigger	This playbook will reset the user password using Graph API. It will send the password (which is a ra...	-
Revoke Entra ID Sign-in session using entity trigger	This playbook will revoke user's sign-in sessions and user will have to perform authentication again...	-
Revoke Entra ID SignIn Sessions - incident trigger	This playbook will revoke all signin sessions for the user using Graph API. It will send an email to...	-
Revoke-Entra ID SignInSessions alert trigger	This playbook will revoke all signin sessions for the user using Graph API. It will send an email to...	-

Watchlists

Name	Description	Tables Used
ConditionalAccessBenignStatusCodes	-	-

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.3.11	13-04-2026	Added Watchlist ConditionalAccessBenignStatusCodes and updated BypassCondAccessRule analytic rule
3.3.10	12-04-2026	Updated AccountCreatedandDeletedinShortTimeframe analytic rule to extend query period to 7 days, normalize UPN parsing, and use immutable UserId for improved detection accuracy and evasion resistance
3.3.9	23-02-2026	Updated Block-AADUser Incident trigger to fix the permissions for disable user block
3.3.8	06-02-2026	Fixed Broken Links in Analytical Rule.
3.3.7	20-01-2026	Updated Revoke-AADSignInSessions Playbooks Instructions. Add Conditional Access Insights Workbook for Microsoft Entra ID.
3.3.6	23-09-2025	Updated Analytical Rule to fix the rule saving issue. Removed Preview Designation from Microsoft Entra ID Connector Data Types.
3.3.5	25-07-2025	Updated Entra id Conditional Access (prefix) Analytical Rule
3.3.4	10-07-2025	Updated Analytical Rule NRT_UseraddedtoPrivilgedGroups.yaml and UseraddedtoPrivilgedGroups.yaml
3.3.3	03-06-2025	Updates to multiple Playbooks to improve documentation, streamline deployment instructions, and add links to detailed setup steps.
3.3.2	08-05-2025	Removed the IP entity type and its associated field mappings (Address and IPAddress) in DistribPassCrackAttempt.yaml Analytic Rule.
3.3.1	08-04-2025	Updated Analytical Rule [Anomalous sign-in location by user account and authenticating application]
3.3.0	28-01-2025	Added new Analytic Rule AzureRBAC to the Solution.
3.2.10	19-12-2024	Updated Analytical Rule MFARejectedbyUser.yaml.
3.2.9	27-08-2024	Updated Analytical Rule for missing TTP.
3.2.8	19-08-2024	Exclude Result Reason "RoleAssignmentExists" from Analytic Rule [NRT PIM Elevation Request Rejected].
3.2.7	12-06-2024	Fixed the bugs from Analytic Rules.
3.2.6	06-06-2024	Successful logon from IP and failure from a different IP fixes.
3.2.5	28-05-2024	Updated Entity mappings and changed description in Analytic Rule.
3.2.4	21-03-2024	Used the make-series operator instead of Make_list.
3.2.3	13-03-2024	Removed uses of BlastRadius from query section of Hunting Queries where it was used incorrectly.
3.2.2	13-03-2024	Updated Analytic Rule ExplicitMFADeny.
3.2.1	16-02-2024	Fixed entity mapping of Analytic Rule NRT_NewAppOrServicePrincipalCredential.yaml.
3.2.0	05-02-2024	1 Analytic Rule added PossibleSignInfromAzureBackdoor NRT_NewAppOrServicePrincipalCredential.
3.0.11	17-01-2024	1 Analytic Rule Fixed wrong capitalization for identifier ResourceId.
3.0.10	26-12-2023	1 Analytic Rule Modified by adding "GroupMembership" instead of "Admin" condition for better extraction of admin accounts from the identity infotable.
3.0.9	28-11-2023	2 Analytic Rules Modified by Adding Entity Mapping to (GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml) and Changed timerange of (SigninPasswordSpray.yaml) from 3d to 1d.
3.0.8	21-11-2023	1 Analytic Rules Fixed issue that was causing multiple triggers for the same event.
3.0.7	06-11-2023	Modified text as there is rebranding from Azure Active Directory to Microsoft Entra ID.
3.0.6	30-10-2023	1 Data Connector added back in the solution.
3.0.5	19-10-2023	1 Analytic Rules updated in the solution (PIMElevationRequestRejected).
3.0.4	16-10-2023	1 Analytic Rules got added in the solution (SuspiciousSignInFollowedByMFAModification), modified workbook query to fix duplicate locations for the query.
3.0.3	22-09-2023	2 Analytic Rules updated in the solution (PIM Elevation Request Rejected),(NRT Authentication Methods Changed for VIP Users).
3.0.2	08-08-2023	1 Analytic Rules updated in the solution (Credential added after admin consented to Application).
3.0.1	01-08-2023	Added new Analytic Rule (New onmicrosoft domain added to tenant).
3.0.0	19-07-2023	2 Analytic Rules updated in the solution (User Assigned Privileged Role,Successful logon from IP and failure from a different IP).