Microsoft Entra ID

Monitor your Microsoft Entra ID activity on the AgileBlue Security Operations Platform. This integration supports sign-in logs, audit logs, identity protection logs, and provisioning logs.

 Setup Guide

Create a Resource Group

1. Log into your Azure Portal
2. Select Resource Group from the menu then click + Create
3. Designate the Subscription in which the resource group should be created
4. Assign a unique name to the group (Ex. AgileBlue-Resource-Group)
5. Select the Region
6. Click Review + Create

Create an Event Hubs Namespace

1. Navigate to All Services in the left-hand menu and click Event Hubs under Analytics
2. Click + Create in the top left-hand corner
3. Select the subscription in which you want to create the namespace
4. Choose the Resource Group created in the prior section
5. Input name for the Event Hubs Namespace
6. Select a Location
7. Ensure the pricing tier is set to Basic and leave the Throughput Units setting as is (1)
   1. NOTE: Do not enable auto-inflate unless you would like the Event Hubs to automatically increase the number of throughput units to meet usage needs in the event of an overage. This setting will prevent possibly delays or loss of data but could lead to increased costs.
8. Click Review + Create
9. Review the settings then click Create and wait for the deployment to complete
10. Once on the Deployment page, click Go to resource
11. Verify that you see the Event Hubs namespace page with the name provided earlier in this section

Create an Event Hub

1. While on the Event Hubs namespace Overview page, click +Event Hub
2. Give a name for the event hub (all lower case, no special characters other than -)
3. Leave all other settings as default
4. Click Review + create
5. On the following page, select Create if all settings look accurate
6. Once the Event Hub is created, you will see it under the list of Event Hubs in the Event Hubs Namespace

Enable Microsoft Entra ID Logging

1. From the Azure Portal homepage, click Microsoft Entra ID
2. Under the left-hand menu, navigate to Monitoring and click Sign-in logs
3. Select Export Data Settings at the top of the page
4. Click + Add diagnostic setting
5. Add a name for the Diagnostic Setting
6. Select all desired Log categories – for this integration we recommend a minimum of the following:
   1. AuditLogs
   2. SignInLogs
   3. NonInteractiveUserSignInLogs
   4. ServicePrincipalSignInLogs
   5. ManagedIdentitySignInLogs
   6. ProvisioningLogs
   7. Risky Users
   8. UserRiskEvents
7. Under Destination details select Stream to an event hub
8. Select the Subscription, Event hub namespace, Event hub name, and Event hub policy name corresponding to the information created int he previous sections
9. Click Save

Gather Required Information

1. Event Hub Connection string-primary key
   1. Navigate to the Event Hubs namespace and select Shared Access Policies
   2. Click RootManageSharedAccessKey and copy the connection string-primary key, which will need to be provided to AgileBlue
2. Storage Account
   
   1. Navigate to All Services > Storage > Storage Accounts
   2. Click Create Storage Account and complete the settings based on the information created so far in this guide
   3. Note the Storage account name which will need to be provided to AgileBlue
   4. Click Review + create
   5. On the review page, copy the Storage Account Name and the values under Key 1 (Key and Connection string)

Send Required Information to AgileBlue

Once all prior steps have been completed, send the following information back to AgileBlue Support  via a secure communication method:

• Event Hub Name (NOTE: This is the name of the event hub, NOT the name of the Event Hubs namespace)
• Connection String
• Storage Account Name
• Storage Account Key

Questions? Contact AgileBlue Support.

Email: support@agileblue.com
Phone: (216) 606-9400