Additionally, you may also notice that there is no longer need for any kind of AAD license (P1/P2) for Sentinel customers to stream AAD logs.
I found out just recently that this isn’t entirely true. I was correct initially, and the original intention was to ensure that no license at all would be needed for any of the Azure Active Directory logs, but there was a miscommunication (or non-communication, as it turns out). No need to go into details, but here’s the scoop…
Enabling the Azure Active Directory Data Connector for Azure Sentinel, effectively just creates a Diagnostic Setting for the AAD service so that the available logs stream directly into the Log Analytics workspace for Azure Sentinel. These logs includes those shown in the next image.
However, when you go into the actual Diagnostic Setting that is created (shown in the next image) you see something that the Azure Sentinel Data Connector doesn’t communicate – the SigninLogs still needs at least a P1 license.
The only log that requires a license is the SigninLogs.
Our documentation will be updated soon to reflect this. There’s hope that this will change in the near future.
P.S. This is something managed by the Azure AD team.
Extra: Did you know that each Azure service has a limitation of 5 Diagnostic Settings that can be created?