Skip to content

Microsoft Entra ID

Microsoft Entra ID, formerly Azure Active Directory, is an identity and access management solution from Microsoft that helps organizations secure and manage identities for hybrid and multicloud environments.

The Entra ID API Adapter currently receives risk detection alerts, as generated by Entra ID's Identity Protection feature. You can learn more about these detections here: https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks. Data received via an Azure Event Hub or Webhook will be unique to your custom output parameters.

Entra ID events are recognized as the azure_ad platform.

Note on naming: The platform identifier azure_ad reflects the legacy product name (Azure Active Directory). Microsoft renamed this product to Microsoft Entra ID in 2023.

Data Collected

API vs Event Hub vs Webhook Comparison

Method Data Source What You Get
Entra ID API Microsoft Graph API Identity Protection Risk Detections only
Azure Event Hub Azure Diagnostic Settings Whatever logs you configure (sign-in, audit, etc.)
Webhook Your configuration Whatever you send to the webhook URL

Entra ID API

The API adapter polls Microsoft Graph's /identityProtection/riskDetections endpoint every 30 seconds. This provides Identity Protection risk detection alerts including:

  • Risky sign-ins (unfamiliar location, impossible travel, etc.)
  • Compromised credentials
  • Leaked credentials
  • Anonymous IP usage
  • Malware-linked IP addresses

For the full list of risk detection types, see Microsoft's documentation.

Azure Event Hub

When using Event Hub, you receive whatever data you configure Azure to stream. You must configure Azure Diagnostic Settings in Entra ID to send logs to your Event Hub. Common log types include:

  • Sign-in logs - Interactive and non-interactive authentication events
  • Audit logs - Directory changes (user/group management, app registrations)
  • Provisioning logs - User provisioning to SaaS apps
  • Risky users/sign-ins - Identity Protection detections (alternative to API)

See Microsoft's documentation on streaming Entra ID logs.

Adapter Deployment

Microsoft Entra ID logs are ingested into LimaCharlie via:

  1. Azure Event Hub
  2. Entra ID API
  3. Webhooks

Azure Event Hub

Within the LimaCharlie web app, there is a helper that can be used to easily configure receiving Entra ID events via an Azure Event Hub.

If utilizing the helper, only two fields are required:

  • Name for the adapter
  • Connection string to the Azure Event Hub

You can find more information about Azure Event Hub Adapters here.

Documentation for creating an event hub can be found here here.

Entra ID API

To collect data via the Entra ID API, you'll need to configure an App Registration in Azure and ensure it has the correct permissions.

  1. In Azure, navigate to the Entra ID Overview page. Select App Registrations and click + New Registration.
  2. Name the application, and select the Supported account types.
  3. After registering an App, you'll be provided metadata for that application. Take note of the Application (client) ID and Directory (tenant) ID fields, as you will need them for configuration.
  4. Select Add a certificate or secret, and create a new client secret. Provide a description and select an applicable Expiration time. Note: You will need to refresh the Secret in LimaCharlie once it expires!
  5. After creating the secret, copy the Secret Value. You will need this to configure the LimaCharlie Adapter.

  6. Navigate to the Manage > API permissions menu for your newly-created application. Ensure that the following permissions have been enabled:

  7. IdentityRiskEvent.Read.All

  8. IdentityRiskEvent.ReadWrite.All
  9. IdentityRiskyServicePrincipal.Read
  10. IdentityRiskyServicePrincipal.ReadWrite.All
  11. IdentityRiskyUser.Read.All
  12. IdentityRiskyUser.Read.Write.All
  13. User.Read (default)

Create a new Adapter within LimaCharlie, and select Microsoft Entra ID. Select Microsoft Entra ID API as the ingestion method.

  1. Name the Adapter and provide the following details:

  2. Tenant ID

  3. Client ID
  4. Client Secret
  5. Note: You can use the Secrets Manager for these values if you wish!

Click Complete Cloud Installation, and the Adapter should be created successfully. Monitor the Platform Logs for any errors.

Note: As previously mentioned, the API Adapter receives events from the Risk Detections API. You will only receive events when these events are sent by the platform. Thus, if you're not receiving any events immediately after Adapter creation, this may be due to no risky events occurring!

Webhooks

Within the LimaCharlie web app, there is a helper that can be used to easily configure receiving Entra ID events.

If utilizing the helper, only two fields are required:

  • Name for the adapter
  • Secret component of the URL for the webhook

More information about creating a webhook and obtaining the completed URL, utilizing the secret component, can be found here.