To stream events from Microsoft 365 Defender to an event hub, you’ll need accounts configured with specific roles.
To add these roles to existing accounts:
- In Azure Portal, click All resources in the side navigation bar.
- Click the name of the event hub namespace you created earlier.
- Click Access control (IAM) in the side menu pane.
Add Contributor role
- Click +Add > Add Role Assignment.
- Click Contributor.
- Click the Members tab.
- Click +Select members.
- Select the account that can log in to Microsoft 365 Defender.
- Click Review + assign.
- Click Review + assign.
Add Reader role
- Click +Add > Add Role Assignment.
- Click Reader.
- Click the Members tab.
- Click +Select members.
- Select the account that is assigned as a Service Principal and can log in to the Microsoft Entra ID application.
- Click Review + assign.
- Click Review + assign.
Add Azure Event Hub Data Receiver role
- Click +Add > Add Role Assignment.
- Click Azure Event Hub Data Receiver.
- Click the Members tab.
- Click +Select members.
- Select the previous account, that is assigned as a Service Principal and can log in to the Microsoft Entra ID application.
- Click Review + assign.
- Click Review + assign.