Collect Azure AD Directory Audit logs

This document explains how to collect Microsoft Entra ID (formerly Azure Active Directory) directory audit logs by setting up a Google Security Operations feed. You can configure ingestion using two methods: Azure Event Hub (recommended) or the Third Party API.

Entra ID directory audit logs capture changes made within your tenant, including user and group management, application updates, directory role changes, and policy modifications.

Before you begin

Ensure that you have the following prerequisites:

• A Google SecOps instance.
• Privileged access to the Microsoft Azureportal.
• Security Administratoror Global Administratorrole in Microsoft Entra ID (required for diagnostic settings).

Method 1: Azure Event Hub (recommended)

This method streams Entra ID audit logs through Azure Event Hub with Capture enabled, which writes the data to Azure Blob Storage. Google SecOps then ingests the logs from Blob Storage using the Azure Blob Storage V2 feed type.

Configure Azure Storage Account

Create Storage Account

1. In the Azure portal, search for Storage accounts.
2. Click + Create.

3. Provide the following configuration details:

   Setting	Value
   Subscription	Select your Azure subscription
   Resource group	Select existing or create new
   Storage account name	Enter a unique name (for example, secopsauditlogs )
   Region	Select the region closest to your Event Hub namespace
   Performance	Standard (recommended)
   Redundancy	LRS (Locally redundant storage) or GRS (Geo-redundant storage)

4. Click Review + create.

5. Review the overview and click Create.

6. Wait for the deployment to complete.

Get Storage Account credentials

1. Go to the Storage Accountyou created.
2. In the left navigation, select Access keysunder Security + networking.
3. Click Show keys.
4. Copy and save the following:
   • Storage account name
   • Key 1or Key 2: The shared access key.

Create Event Hub namespace and Event Hub

Create Event Hub namespace

1. In the Azure portal, search for Event Hubs.
2. Click + Create.

3. Provide the following configuration details:

   Setting	Value
   Subscription	Select your Azure subscription
   Resource group	Select the same resource group as your storage account
   Namespace name	Enter a unique name (for example, secops-entraid-audit )
   Location	Select the same region as your storage account
   Pricing tier	Standard (required for Event Hub Capture)

4. Click Review + create, then click Create.

5. Wait for the deployment to complete.

Create Event Hub

1. Go to the Event Hub namespace you created.
2. Click + Event Hubat the top.
3. Provide the following configuration details:
   • Name: Enter a name (for example, entraid-audit-logs ).
   • Partition count: 2 (default, increase for higher throughput).
   • Cleanup policy: Delete.
   • Retention time (hrs): 24 (minimum, increase if needed for resilience).
4. Click Review + create, then click Create.

Enable Event Hub Capture

1. Go to the Event Hub you created (inside the namespace).
2. In the left navigation, select Capture.
3. Set Captureto On.

4. Provide the following configuration details:

   Setting	Value
   Time window (minutes)	5 (or lower for near-real-time)
   Size window (MB)	300
   Capture Provider	Azure Blob Storage
   Azure Subscription	Select your subscription
   Storage Account	Select the storage account you created
   Blob Container	Create or select a container (for example, entraid-audit-capture )

5. Click Save.

Configure Entra ID diagnostic settings

1. In the Azure portal, search for Microsoft Entra ID.
2. In the left navigation, go to Monitoring & health > Diagnostic settings.
3. Click Add diagnostic setting.
4. Provide the following configuration details:
   • Diagnostic setting name: Enter a descriptive name (for example, audit-logs-to-eventhub ).
   • In the Logssection, select AuditLogs.
   • In the Destination detailssection, select Stream to an event hub.
   • Subscription: Select the subscription containing your Event Hub namespace.
   • Event hub namespace: Select the namespace you created (for example, secops-entraid-audit ).
   • Event hub name: Select the Event Hub you created (for example, entraid-audit-logs ).
   • Event hub policy name: Select RootManageSharedAccessKey.

5. Click Save.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

• SIEM Settings > Feeds > Add New Feed
• Content Hub > Content Packs > Get Started

Configure a feed in Google SecOps to ingest Entra ID audit logs

1. Click the Azure Platformpack.
2. Locate the Azure AD Directory Auditlog type.

3. Specify values for the following fields:

   • Source Type: Microsoft Azure Blob Storage V2

   • Azure URI: Enter the Blob Service endpoint URL with the capture container path:

      https://<storage-account>.blob.core.windows.net/entraid-audit-capture/ 
     

     Replace <storage-account> with your Azure storage account name.

   • Source deletion option: Select the deletion option according to your preference:

     • Never: Never deletes any files after transfers.
     • Delete transferred files: Deletes files after successful transfer.
     • Delete transferred files and empty directories: Deletes files and empty directories after successful transfer.

   • Maximum File Age: Include files modified in the last number of days. Default is 180 days.

   • Shared key: Enter the shared access key value from the Storage Account.

   • Asset namespace: The asset namespace .

   • Ingestion labels: The label to be applied to the events from this feed.

4. Click Create feed.

After creating the feed, it may take 5-10 minutes before logs start appearing in Google SecOps.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation . For information about requirements for each feed type, see Feed configuration by type . If you encounter issues when you create feeds, contact Google Security Operations support .

Configure Azure Storage firewall (if enabled)

If your Azure Storage Account uses a firewall, you must add Google SecOps IP ranges.

1. In the Azure portal, go to your Storage Account.
2. Select Networkingunder Security + networking.
3. Under Firewalls and virtual networks, select Enabled from selected virtual networks and IP addresses.
4. In the Firewallsection, under Address range, click + Add IP range.
5. Add each Google SecOps IP range in CIDR notation.
   • See IP Allowlisting documentation .
   • Or retrieve them programmatically using the Feed Management API .
6. Click Save.

Method 2: Third Party API

This method uses the Microsoft Graph API to retrieve Entra ID directory audit logs directly from your Microsoft tenant.

Configure IP allowlisting

Before creating the feed, you must allowlist Google SecOps IP ranges in your Microsoft Azure network settings or Conditional Access policies.

Get Google SecOps IP ranges

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. Note the IP ranges displayed in the feed creation interface.
4. Alternatively, retrieve IP ranges programmatically using the Feed Management API .

Configure Conditional Access for workload identities (if required)

If your organization uses Conditional Access policies that restrict access by location:

1. In the Microsoft Entra admin center, go to Protection > Conditional Access > Named locations.
2. Click + New location.
3. Provide the following configuration details:
   • Name: Enter Google SecOps IP Ranges .
   • Mark as trusted location: Optional, based on your security policy.
   • IP ranges: Add each Google SecOps IP range in CIDR notation.
4. Click Create.
5. Go to Conditional Access > Policies.
6. For any policies that apply to workload identities, configure an exclusion for the Google SecOps IP Ranges named location or the specific service principal.

Configure Microsoft Entra app registration

Create app registration

1. Sign in to the Microsoft Entra admin center or Azure portal .
2. Go to Identity > Applications > App registrations.
3. Click New registration.
4. Provide the following configuration details:
   • Name: Enter a descriptive name (for example, Google SecOps Audit Logs Integration ).
   • Supported account types: Select Accounts in this organizational directory only (Single tenant).
   • Redirect URI: Leave blank (not required for service principal authentication).
5. Click Register.
6. After registration, copy and save the following values:
   • Application (client) ID
   • Directory (tenant) ID

Configure API permissions

1. In the app registration, go to API permissions.
2. Click Add a permission.
3. Select Microsoft Graph > Application permissions.
4. Search for and select the following permissions:
   • AuditLog.Read.All- Required to read directory audit logs.
   • Directory.Read.All- Required by Microsoft Graph API for audit log access.
5. Click Add permissions.
6. Click Grant admin consent for [Your Organization].

7. Verify that the Statuscolumn shows Granted for [Your Organization]for all permissions.

Permission	Type	Description
AuditLog.Read.All	Application	Read all audit log data
Directory.Read.All	Application	Read directory data (required for API access)

Create client secret

1. In the app registration, go to Certificates & secrets.
2. Click New client secret.

3. Provide the following configuration details:

   • Description: Enter a descriptive name (for example, Google SecOps Feed ).
   • Expires: Select an expiration period.

4. Click Add.

5. Copy the client secret Valueimmediately.

   Important: The secret value is displayed only once and cannot be retrieved after leaving this page. If you lose the value, you must create a new client secret.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

• SIEM Settings > Feeds > Add New Feed
• Content Hub > Content Packs > Get Started

Configure a feed in Google SecOps to ingest Entra ID audit logs

1. Click the Azure Platformpack.
2. Locate the Azure AD Directory Auditlog type.

3. Specify values for the following fields:

   • Source Type: Third party API (recommended)
   • OAuth Client ID: Enter the Application (client) IDfrom the app registration.
   • OAuth Client Secret: Enter the client secret valueyou copied earlier.
   • Tenant ID: Enter the Directory (tenant) IDfrom the app registration in UUID format (for example, 0fc279f9-fe30-41be-97d3-abe1d7681418 ).

   • API Full Path: Enter the Microsoft Graph REST API endpoint URL:

      graph.microsoft.com/v1.0/auditLogs/directoryAudits 
     

   • API Authentication Endpoint: Enter the Microsoft Active Directory authentication endpoint:

      login.microsoftonline.com 
     

   • Asset namespace: The asset namespace .

   • Ingestion labels: The label to be applied to the events from this feed.

4. Click Create feed.

After creating the feed, it may take 5-10 minutes before logs start appearing in Google SecOps.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation . For information about requirements for each feed type, see Feed configuration by type . If you encounter issues when you create feeds, contact Google Security Operations support .

Regional endpoints

For Microsoft Entra ID deployments in sovereign clouds, use the appropriate regional endpoints:

Cloud Environment	API Full Path	API Authentication Endpoint
Global	graph.microsoft.com/v1.0/auditLogs/directoryAudits	login.microsoftonline.com
US Government L4	graph.microsoft.us/v1.0/auditLogs/directoryAudits	login.microsoftonline.us
US Government L5 (DOD)	dod-graph.microsoft.us/v1.0/auditLogs/directoryAudits	login.microsoftonline.us
China (21Vianet)	microsoftgraph.chinacloudapi.cn/v1.0/auditLogs/directoryAudits	login.chinacloudapi.cn

Need more help? Get answers from Community members and Google SecOps professionals.