Azure AD / Entra ID Integration
Overview
Azure Active Directory (now Microsoft Entra ID) provides identity and access management for cloud and hybrid environments. KYRA MDR collects Azure AD sign-in logs, audit logs, and risk events for identity threat detection.
Prerequisites
- A KYRA MDR Collector installed and running
- Azure AD tenant with Global Reader or Security Reader role
- Azure AD application registration with API permissions
- Azure AD P1 or P2 license (for sign-in and risk event logs)
Configuration
Configure Azure AD log collection:
- Register an application in Azure Portal > App Registrations
- Grant the following API permissions:
AuditLog.Read.AllDirectory.Read.AllIdentityRiskyUser.Read.All(P2)
- Grant admin consent for the permissions
- Configure the KYRA MDR collector:
sources: - type: azure-ad tenant_id: <tenant-id> client_id: <client-id> client_secret: <client-secret> poll_interval: 120s- Restart the collector service
Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Sign-in Logs | User authentication events | Brute force, impossible travel detection |
| Audit Logs | Directory change events | Privilege escalation, policy changes |
| Risk Events | Identity risk detections (P2) | Compromised account detection |
| Provisioning | User provisioning events | Account lifecycle monitoring |
| Service Principal | App authentication events | Service account monitoring |
| MFA | Multi-factor authentication events | MFA bypass detection |
Troubleshooting
No sign-in logs: Azure AD sign-in logs require an Azure AD P1 or P2 license.
Permission denied: Ensure the app registration has admin consent granted for all required permissions.
Delayed data: Azure AD sign-in logs may have a delay of 5-15 minutes. This is a Microsoft-side limitation.
Contact kyra@seekerslab.com for support.