This guide walks you through creating a Microsoft Entra ID application with permissions to access your Microsoft Sentinel instance, and gathering all of the necessary configuration values to create a Microsoft Sentinel integration.
Create a Microsoft Entra ID Application and Service Principal
Before you begin, you must have access to the Microsoft Azure portal and have a Microsoft Sentinel instance provisioned for a Log Analytics workspace.
1. Create Entra ID Application
API access is granted to a service principal, which is create by registering a new Application with Entra ID. Follow the Microsoft documentation to create the application. When complete, note the tenant ID, Application (client) ID, and the client secret to a safe location.
2. Assign permissions to the service principal
Note the modified permissions below when following the Microsoft documentation.
Once you have the application registered, add permissions and roles as described in the Microsoft Authentication documentation.
When adding API permissions, the Microsoft documentation suggests adding Data.Read as a 'Delegated' permission, but this does not grant the service principal access. Instead, add the Data.Read permission as an 'Application' permission. Once done, make sure you enable the permission by clicking the 'Grant admin consent' button.
When adding the Log Analytics Role Assignments, the documentation only notes adding the 'Reader' role. For full functionality, add all of the following roles:
- Reader
- Microsoft Sentinel Contributor
3. Gather the log analytics workspace values
On the Log Analytics workspace overview page, find the 'Resource group' name, 'Subscription ID', 'Workspace Name', and 'Workspace ID'. Note these values in a safe location along with you application authentication values.
If setting up ingestion, click on the "JSON View" link and copy the fully qualified resource ID into a safe location.
4. (Ingestion Only) Configure a Data Collection Rule
To support ingestion, set up a Data Collection Rule following steps 3 and 4 of our Sink configuration guide using the fully qualified Log Analytics Workspace ID gathered in step 3. When complete, save the Rule ID, Stream Name, and Logs Ingestion Endpoint values to a safe location. Take care to perform step 4, granting permissions on the Data Collection Rule to the application and service principal created in step 1 of this guide.
Configure the Integration
Create your integration by supplying all of the required and any desired optional values.
Logs URL (Optional): The root URL for the Microsoft Azure Monitor Logs API. This is optional and should only be supplied if using an alternate Microsoft cloud, such as GovCloud. Default "https://api.loganalytics.azure.com".
Management URL (Optional): The root URL for the Microsoft Azure Management API. This is optional and should only be supplied if using an alternate Microsoft cloud, such as GovCloud. Default "https://management.azure.com".
Tenant ID: This is the 'Directory (tenant) ID' gathered in step 1
Client ID: This is the 'Application (client) ID' gathered in step 1
Client Secret: This is the client secret gathered in step 1
Resource Group: This is the 'Resource Group' gathered in step 3
Subscription ID: This is the 'Subscription ID' gathered in step 3.
Workspace ID: This is the 'Workspace ID' gathered in step 3
Workspace Name: This is the 'Workspace Name' gathered in step 3
Ingest URL (Ingestion Only): This is the 'Logs Ingestion Endpoint' gathered in step 4.
Rule ID (Ingestion Only): This is the 'Rule ID' gathered in step 4.
Stream Name (Ingestion Only): This is the 'Stream Name' gathered in step 4.