The azure-native:securityinsights:AADDataConnector resource, part of the Pulumi Azure Native provider, registers a Microsoft Entra ID data connector within a Sentinel workspace to enable identity log ingestion. This guide focuses on one capability: connecting Entra ID logs to Sentinel.
Data connectors link external log sources to Sentinel workspaces. The connector requires an existing Sentinel workspace, resource group, and tenant permissions. The examples are intentionally small. Combine them with your own workspace configuration and data retention policies.
Connect Microsoft Entra ID to a Sentinel workspace
Security teams monitoring identity threats ingest sign-in logs, audit events, and risk detections from Microsoft Entra ID into Sentinel for correlation and analysis.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const aadDataConnector = new azure_native.securityinsights.AADDataConnector("aadDataConnector", {
dataConnectorId: "c345bf40-8509-4ed2-b947-50cb773aaf04",
resourceGroupName: "myRg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
aad_data_connector = azure_native.securityinsights.AADDataConnector("aadDataConnector",
data_connector_id="c345bf40-8509-4ed2-b947-50cb773aaf04",
resource_group_name="myRg",
workspace_name="myWorkspace")
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewAADDataConnector(ctx, "aadDataConnector", &securityinsights.AADDataConnectorArgs{
DataConnectorId: pulumi.String("c345bf40-8509-4ed2-b947-50cb773aaf04"),
ResourceGroupName: pulumi.String("myRg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var aadDataConnector = new AzureNative.SecurityInsights.AADDataConnector("aadDataConnector", new()
{
DataConnectorId = "c345bf40-8509-4ed2-b947-50cb773aaf04",
ResourceGroupName = "myRg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.AADDataConnector;
import com.pulumi.azurenative.securityinsights.AADDataConnectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var aadDataConnector = new AADDataConnector("aadDataConnector", AADDataConnectorArgs.builder()
.dataConnectorId("c345bf40-8509-4ed2-b947-50cb773aaf04")
.resourceGroupName("myRg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
aadDataConnector:
type: azure-native:securityinsights:AADDataConnector
properties:
dataConnectorId: c345bf40-8509-4ed2-b947-50cb773aaf04
resourceGroupName: myRg
workspaceName: myWorkspace
The connector streams Entra ID telemetry into your Sentinel workspace. The dataConnectorId uniquely identifies this connector instance, while workspaceName and resourceGroupName specify where logs are delivered. The tenantId property determines which Entra ID tenant’s logs are collected. Once registered, the connector begins ingesting identity events automatically.
Beyond these examples
This snippet focuses on Sentinel workspace data connector registration. It’s intentionally minimal rather than a full security monitoring deployment.
The example references pre-existing infrastructure such as a Microsoft Sentinel workspace, Azure resource group, and Microsoft Entra ID tenant with appropriate permissions. It focuses on connector registration rather than provisioning the workspace or configuring log analytics.
To keep things focused, common data connector patterns are omitted, including:
- Data type filtering (dataTypes property)
- Connector state management and monitoring
- Log Analytics workspace configuration
- Data retention and cost controls
These omissions are intentional: the goal is to illustrate how the data connector is wired, not provide a drop-in security monitoring module. See the AADDataConnector resource reference for all available configuration options.
Let's configure Azure Active Directory Data Connectors
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Setup
kind (set to ‘AzureActiveDirectory’), tenantId, dataConnectorId, resourceGroupName, and workspaceName. The tenantId specifies which tenant to connect to and collect data from.dataTypes property to configure the available data types for the connector.AADDataConnector resource type. The connector’s behavior is determined by your configuration, not the example title.Resource Properties & Immutability
dataConnectorId, resourceGroupName, and workspaceName properties are immutable. Changing any of these requires replacing the resource.