Skip to main content

Microsoft Entra ID Data Connector

Ingest Microsoft Entra ID identity, risk, and audit events into Torq to enable automated analysis and Auto-Triage.

Overview

The Microsoft Entra ID data connector enables seamless ingestion of identity security events into Torq for use in Auto-Triage. This connector is designed to integrate directly with Microsoft Entra ID (formerly Azure Active Directory), allowing you to automatically ingest identity-related events such as risky sign-ins, risk detections, and audit logs.

Key benefits include:

  • Simplified setup: Configure ingestion through a guided UI without building custom integrations.

  • Continuous ingestion: Events are retrieved automatically at regular intervals.

  • Auto-Triage integration: Route identity events directly into automated triage and case creation.

  • Historical backfill: Ingest past events during initial setup (up to 14 days, subject to Entra retention).

  • Built-in reliability: Handle retries, deduplication, and rate limits automatically.

Common scenarios

Automated triage for risky sign-ins

Risky sign-ins (for example, impossible travel or anonymous IP usage) are automatically ingested and analyzed by Auto-Triage. Events are enriched with user and device context, evaluated based on risk signals, and can trigger automated remediation actions such as session revocation or MFA enforcement.

Identity Protection risk detection response

Microsoft Entra ID Identity Protection generates user-level and sign-in-level risk detections (for example, leaked credentials or token anomalies). These detections are ingested into Torq and used to trigger automated workflows for investigation, correlation, and response.

Audit log automation and compliance

Audit logs capture directory activity such as user changes, role assignments, and policy updates. The connector enables automation for compliance monitoring, privilege escalation detection, and audit trail workflows.

Prerequisites

Before setting up the Microsoft Entra ID data connector, ensure the following requirements are met:

  • Microsoft Entra ID tenant access: Access to Microsoft Entra ID with appropriate permissions.

  • Microsoft Entra application: A registered application for authentication.

  • Permissions: Configure the required Microsoft Graph permissions based on the selected event types.

How to use

Create an app registration in Microsoft Entra ID

Navigate to app registrations

  1. Open Azure Portal: Go to https://portal.azure.com/.

  2. Go to app registrations: Navigate to Microsoft Entra ID > App registrations > New registration.

Register the application

  1. Enter application name: Provide a unique, meaningful name (e.g., Torq Entra Connector).

  2. Set supported account type: Select Accounts in this organizational directory only.

  3. Create app: Click Register.

Collect application details

  1. Copy identifiers: From the application overview page, copy:

    • Application (Client) ID

    • Directory (Tenant) ID

  2. Store securely: Save these values for use during Torq configuration.

Create client secret

  1. Navigate to secrets: Go to Certificates & secrets.

  2. Create secret: Click New client secret.

  3. Define secret: Add a description (e.g., Torq Secret) and select an expiration period.

  4. Save secret: Click Add.

  5. Copy secret value: Immediately copy the secret from the Value column and store it securely.

The secret value is only visible once and cannot be retrieved later.

Configure API permissions

  1. Open permissions: Go to API permissions.

  2. Add permissions: Click Add a permission > Microsoft Graph > Application permissions.

  3. Grant required permissions: Add:

    • AuditLog.Read.All (Directory audit logs)

    • IdentityRiskEvent.Read.All (Risk detections)

    • IdentityRiskyUser.Read.All (Risky users and sign-ins)

Grant admin consent

  1. Approve permissions: Click Grant admin consent.

  2. Confirm action: Approve the request to apply permissions organization-wide.

Set up a data connector instance

  1. Open connector setup: Go to Integrations > Microsoft Entra ID > Add Instance.

  2. Configure connection details:

    • Name: Enter a descriptive name.

    • Tenant ID: Enter your Microsoft Entra tenant ID.

    • Client ID: Enter the application (client) ID.

    • Client Secret: Enter the generated client secret.

    • Microsoft Graph URL: Enter the Microsoft Graph base URL used by your environment.

  3. Select event types: Choose which events to ingest:

    • Directory Audit Logs

    • Risky Sign-In Logs

    • Risk Detections

  4. (Optional) Configure backfill: Set a lookback window to ingest historical events (up to 14 days, subject to retention).

  5. Save configuration: Click Add to create the connector. Ingestion starts automatically.

When you edit an existing Entra ID instance, the past data ingestion period cannot be changed. To change it, delete the instance and create a new one.

You’ve successfully set up the Microsoft Entra ID Data Connector in Torq. With the connector configured, Torq continuously ingests identity events and enables automated triage, investigation, and response workflows across your identity security stack.

Related Articles
Set Up Torq SSO: Microsoft Entra ID
Workflow Template: Query for user MFA fraud reports on Entra ID
SentinelOne Data Connector
Microsoft Defender Data Connector
Okta Data Connector
Did this answer your question?