Connecting Azure Sentinel to Microsoft 365
Start course

This course looks at how to monitor Microsoft 365 security with Azure Sentinel. We'll start by looking at what Azure Sentinel is and at what it offers, as well as how to onboard Azure Sentinel. We’ll then take a look at the process required for connecting Azure Sentinel to Microsoft 365 and you'll watch a live demo showing you how to do this.

After covering the onboarding of Azure Sentinel and the connection of Sentinel to Microsoft 365, we’ll look at how you can visualize data using Azure Sentinel, before wrapping things up by covering workbooks.

Learning Objectives

By the time you finish this course, you should have an understanding of how to onboard Azure Sentinel and how to connect it to Microsoft 365 and Office 365.

Intended Audience

This course is intended for anyone who wishes to learn what Azure Sentinel is and how to use it to monitor Microsoft 365.


To get the most out of this course, you should have a basic understanding of Microsoft 365.


Welcome to connecting Azure Sentinel to Microsoft 365. In this lesson, will take a look at the different Microsoft 365 services that Azure Sentinel can be connected to.

Now, before we get into the specifics of each of the Microsoft 365 services, let’s just take a quick look at the generic overview process of how Azure Sentinel connects to data sources.

We’ve already established that Azure Sentinel pulls data in from different services and apps by connecting to them and then forwarding events and logs into Azure Sentinel. To connect to the different data sources in your environment, including Microsoft 365 data sources, you use the data connectors page in Azure Sentinel. From the data connectors page, you can open the data connectors, gallery, which is a list of all of the different data sources that you can connect to. From here, you can select the data source you are most interested in. Once you connect Azure Sentinel to your data source, you can then stream logs from that data source into Azure Sentinel.

Azure Sentinel comes with a Microsoft 365 defender connector. This allows you to connect Azure Sentinel to Microsoft 365 defender, which was actually formerly known as Microsoft threat protection. This connector includes incident integration and allows you to stream all Microsoft 365 defender incidents and alerts into Azure Sentinel. It also ensures that the incidents between both portals, meaning the Microsoft 365 defender portal and Azure Sentinel are synchronized.

The Microsoft 365 defender connector also allows you to stream advanced hunting events from Microsoft defender for endpoint into Azure Sentinel as well.

Visit the URL on your screen to read more about integration with Microsoft 365 defender:

Another Microsoft 365 service that you can connect to from Azure Sentinel is Microsoft defender for endpoint. Azure Sentinel’s Microsoft defender for endpoint connector can be used to stream alerts from Microsoft defender for endpoint into Azure Sentinel. This allows you to analyze security events across the organization, and it also allows you to build playbooks to facilitate a more effective and immediate response to threats.

The URL on your screen provides more information about integration with Microsoft defender for endpoint:

Azure Sentinel’s office 365 log connector allows you to pull in ongoing user and admin activities in exchange, SharePoint, one drive, and teams into Azure Sentinel. The information that gets pulled in includes things like file downloads, access requests sent, mailbox operations, team events, and many other important bits of office 365 information. When you connect office 365 logs to Azure Sentinel, you can view and analyze all of this data in workbooks, you can create custom alerts, and you can incorporate the data into existing investigation processes.

Visit the URL on your screen to read more about integrating office 365 logs and Azure Sentinel:

You can also connect Azure Sentinel to Microsoft defender for office 365. Microsoft defender for office 365 was formerly known as office 365 advanced threat protection. Now, I’m not going to go into details on this offering because, at the time of this course creation, the ingestion of Microsoft defender for office 365 alerts is in public preview. Since it’s in public preview, things could change.

To read all about integration with Microsoft defender for office 365, visit the URL that you see on your screen:

Join me in the next lesson, where I’ll show you how to connect office 365 logs to Azure Sentinel.


About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.