Skip to content

Microsoft Entra ID

Microsoft Entra ID, formerly Azure Active Directory, is an identity and access management solution from Microsoft that helps organizations secure and manage identities for hybrid and multicloud environments.

The Entra ID API Adapter currently receives risk detection alerts, as generated by Entra ID's Identity Protection feature. You can learn more about these detections here: https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks. Data received via an Azure Event Hub or Webhook will be unique to your custom output parameters.

Entra ID data uses one of two platform values depending on the ingestion method — they are not interchangeable:

  • Azure Event Hub / Webhook (diagnostic settings log stream — SignInLogs, AuditLogs, etc.): client_options.platform: azure_ad
  • Entra ID API (Identity Protection risk detections polled from Microsoft Graph): client_options.platform: entraid

Note on naming: The platform identifier azure_ad reflects the legacy product name (Azure Active Directory). Microsoft renamed this product to Microsoft Entra ID in 2023. Despite naming the same product, azure_ad and entraid select different parsers: azure_ad parses the Azure diagnostic-stream records envelope (event type from category, timestamp from time), while entraid parses Graph risk-detection objects (event type from activity, timestamp from detectedDateTime). Crossing them silently breaks event-type and timestamp extraction.

Choosing by data need: Directory audit events — app consent (Consent to application), OAuth2 permission grants (Add OAuth2PermissionGrant), app role assignments, user/group/role changes — are only available from the diagnostic-stream AuditLogs category (Event Hub, platform azure_ad) or from the Microsoft 365 unified audit log (office365 adapter, Audit.AzureActiveDirectory content type, where operation names carry a trailing period). The Entra ID API adapter polls risk detections only and will never deliver these events. Also prefer azure_ad over azure_monitor for Entra streams: both parse the same envelope, but the platform value tags the sensor and drives is platform / LCQL targeting and shared detection rules.

Data Collected

API vs Event Hub vs Webhook Comparison

Method Data Source What You Get Platform
Entra ID API Microsoft Graph API Identity Protection Risk Detections only entraid
Azure Event Hub Azure Diagnostic Settings Whatever logs you configure (sign-in, audit, etc.) azure_ad
Webhook Your configuration Whatever you send to the webhook URL azure_ad (if relaying the diagnostic-stream format)

Entra ID API

The API adapter polls Microsoft Graph's /identityProtection/riskDetections endpoint every 30 seconds. This provides Identity Protection risk detection alerts including:

  • Risky sign-ins (unfamiliar location, impossible travel, etc.)
  • Compromised credentials
  • Leaked credentials
  • Anonymous IP usage
  • Malware-linked IP addresses

For the full list of risk detection types, see Microsoft's documentation.

The API adapter does not receive sign-in logs or directory audit events (such as app consent or OAuth2 permission grants) — use the Azure Event Hub method for those.

Azure Event Hub

When using Event Hub, you receive whatever data you configure Azure to stream. You must configure Azure Diagnostic Settings in Entra ID to send logs to your Event Hub. Common log types include:

  • Sign-in logs - Interactive and non-interactive authentication events
  • Audit logs - Directory changes (user/group management, app registrations, app consent and OAuth2 permission grants)
  • Provisioning logs - User provisioning to SaaS apps
  • Risky users/sign-ins - Identity Protection detections (alternative to API)

In the azure_ad stream the LimaCharlie event type is the log category (e.g. AuditLogs, SignInLogs), so detection rules targeting a specific operation match on the event/operationName field.

See Microsoft's documentation on streaming Entra ID logs.

Adapter Deployment

Microsoft Entra ID logs are ingested into LimaCharlie via:

  1. Azure Event Hub
  2. Entra ID API
  3. Webhooks

Azure Event Hub

Within the LimaCharlie web app, there is a helper that can be used to easily configure receiving Entra ID events via an Azure Event Hub.

If utilizing the helper, only two fields are required:

  • Name for the adapter
  • Connection string to the Azure Event Hub

See the Azure Event Hub Adapter documentation for more information.

Microsoft has documentation for creating an Event Hub.

Entra ID API

To collect data via the Entra ID API, you'll need to configure an App Registration in Azure and ensure it has the correct permissions.

  1. In Azure, navigate to the Entra ID Overview page. Select App Registrations and click + New Registration.
  2. Name the application, and select the Supported account types.
  3. After registering an App, you'll be provided metadata for that application. Take note of the Application (client) ID and Directory (tenant) ID fields, as you will need them for configuration.
  4. Select Add a certificate or secret, and create a new client secret. Provide a description and select an applicable Expiration time. Note: You will need to refresh the Secret in LimaCharlie once it expires!
  5. After creating the secret, copy the Secret Value. You will need this to configure the LimaCharlie Adapter.

  6. Navigate to the Manage > API permissions menu for your newly-created application. Ensure that the following permissions have been enabled:

  7. IdentityRiskEvent.Read.All

  8. IdentityRiskEvent.ReadWrite.All
  9. IdentityRiskyServicePrincipal.Read
  10. IdentityRiskyServicePrincipal.ReadWrite.All
  11. IdentityRiskyUser.Read.All
  12. IdentityRiskyUser.Read.Write.All
  13. User.Read (default)

Create a new Adapter within LimaCharlie, and select Microsoft Entra ID. Select Microsoft Entra ID API as the ingestion method.

  1. Name the Adapter and provide the following details:

  2. Tenant ID

  3. Client ID
  4. Client Secret
  5. Note: You can use the Secrets Manager for these values if you wish!

Click Complete Cloud Installation, and the Adapter should be created successfully. Monitor the Platform Logs for any errors.

Note: As previously mentioned, the API Adapter receives events from the Risk Detections API. You will only receive events when these events are sent by the platform. Thus, if you're not receiving any events immediately after Adapter creation, this may be due to no risky events occurring!

Webhooks

Within the LimaCharlie web app, there is a helper that can be used to easily configure receiving Entra ID events.

If utilizing the helper, only two fields are required:

  • Name for the adapter
  • Secret component of the URL for the webhook

More information about creating a webhook and obtaining the completed URL, utilizing the secret component, can be found here.