Connecting Azure Active Directory to Microsoft Sentinel Through the Diagnostic Setting

When all else fails...

UPDATE 1/25/2023: The issue described below has now been resolved. Thanks everyone for your attention and ticket creation! Your assistance helped get this resolved quickly. However, I will leave this blog post in place for the description below on how to use the Diagnostic Setting for connecting any Azure service logs to Microsoft Sentinel.

---

Having trouble enabling the Azure Active Directory connector in Microsoft Sentinel? Many are.

Essentially, when one attempts to select the AAD logs and click the Apply Changes button, they are met with a Failed to apply changes alert. There’s no other error message - even in the Azure Activity log - which makes it super difficult to diagnose.

Bottom line: we’re working on it.

But in the interim, one can still enable and adjust logs through the Azure Active Directory Diagnostic Setting - which is essentially what clicking the Apply Changes button does anyway.

Not familiar with how this works?

Open the Azure Active Directory service in the Azure portal and find the Diagnostic Settings blade.

Once there, choose to either edit an existing Diagnostic Setting or create a brand new one.

Just make sure if creating a new one to point it to the existing Log Analytics workspace for Microsoft Sentinel. If you have multiple Sentinel instances, make sure to select the right one.

BIG NOTE: If you are a customer affected by this, please open a ticket. This will help show impact and drive quicker resolution.

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]