To set up streaming from Microsoft Entra ID:
- In Azure Portal, click Microsoft Entra ID in the side navigation pane.
- Scroll down to Monitoring in the side menu and click Audit logs.
- Click Export Data Settings.
- Click +Add diagnostics setting.
Alternatively, if you already have a logging configuration set up, click Edit Settings next to the diagnostic setting. - Tick these Logs checkboxes:
- AuditLogs
- SignInLogs
- NonInteractiveUserSignInLogs
- ServicePrincipalSignInLogs
- ManagedIdentitySignInLogs
- ProvisioningLogs
- ADFSSignInLogs
- RiskyUsers
- UserRiskEvents
- Tick Stream to an event hub.
- Select the event hub namespace and event hub that you created earlier.
If you don’t select an event hub, Azure Portal will create an event hub called insights-logs-audit in the selected namespace. - Click Save.