Entra ID (Azure AD) Logs
The Emanate Security Platform supports direct log ingestion from Microsoft's Entra ID (formerly Azure Active Directory).
Last updated
The Emanate Security Platform supports direct log ingestion from Microsoft's Entra ID (formerly Azure Active Directory).
Last updated
Emanate Security can retrieve Entra ID activity logs by querying the Microsoft Graph API. Emanate Security queries the Graph API for new events every 2 minutes.
Access to Entra ID data via the Graph API is license controlled. In order to integrate these activity logs with ESP, you must have:
Entra ID Premium P1 or P2
Entra ID B2C (MSP)
On-Premises Active Directory Users
ESP can also retrieve directory records from Microsoft's on-premises Active Directory. To so do, ESP leverages the Active Directory Sync that Microsoft offers in Entra ID. If you use on-premises Active Directory and want to integrate your logs, please refer to Microsoft's instructions on enabling Active Directory Sync.
To enable this integration, you must grant ESP permission to access your organization's Entra ID logs. This can be done via the Entra ID console. This will require you to create a new App Registration with the appropriate permissions.
For a high-level view of how this works, you can refer to Microsoft's instructions on creating an App Registration with unspecified permissions. For a step-by-step walkthrough, please follow the remainder of the guide on this page.
Navigate to the Entra ID portal and select the App Registrations page from the left navigation panel.
Create a New registration.
Enter a simple name like Emanate Security for this integration.
Under Supported Account Types, select the Single Tenant option.
Leave the Redirect URI blank, and click on the Register button.
Open the API permissions of the newly created App registration.
Select Add a permission.
Choose the option for Microsoft Graph.
Choose the option for Application Permissions.
Search and Select the blue check box for the following permissions:
AuditLog > AuditLog.Read.All
Directory > Directory.Read.All
SecurityAlert > SecurityAlert.Read.All
SecurityIncident > SecurityIncident.Read.All
Once all of the above permissions have been selected, click on the Add Permissions button to proceed.
To finalize granting these permissions, select the Grant admin consent button and confirm.
Once complete, a green check should be visible in the Status column for each permission.
Navigate to the Certificates & Secrets settings in your newly created App Registration.
Select + New Client Secret button to generate a client secret for your integration.
Give it a meaningful name like Emanate Security Integration Secret.
Set Expires to the longest period possible according to your organization’s policy. Emanate Security recommends 12 months.
A new client secret must be created and shared with Emanate Security before the expiration of this secret to ensure uninterrupted log streaming.
Select the Add button to create the new client secret.
Copy the secret Value and save it for later in this process.
You MUST copy the secret at the time it is created. Once you leave the page, your secret value will be hidden, and you can no longer access it.
In the preceding steps you created an App Registration, giving you access to each of the following data points:
Application (client) ID
Directory (tenant) ID
Client Secret Value
If you still need to retrieve your Application ID or Directory ID, you can always go back to the Overview page for your newly created App Registration.
Once gathering the above information, use the left-nav to navigate to the Integrations > Data Sources section of the Emanate Security user interface.
Here you'll see a form allowing you to enter your Microsoft Entra ID App Registration information.
Enter your Application (client ID), Directory (tenant) ID, and your Client Secret Value and when completed, hit the Update button.
At this point, please notify your Emanate Security account representative to ensure proper next steps are followed depending on your status as an Assessment, Trial, or Paid customer.
This will complete your integration setup!
Please email any questions to support@emanatesecurity.com
