Skip to main content
Microsoft Entra ID (formerly Azure Active Directory) generates audit and sign-in logs that provide valuable insights into user authentication, authorization, and administrative activities. This guide explains how to send these logs to Axiom using Azure Event Hub and Filebeat.

Prerequisites

Architecture overview

The integration uses the following components:
  1. Microsoft Entra ID generates audit and sign-in logs
  2. Azure Event Hub receives logs from Entra ID diagnostic settings
  3. Filebeat with Azure Event Hub input reads from Event Hub and sends to Axiom

Prerequisites

Before you begin, ensure you have:
  • An active Azure subscription with Microsoft Entra ID
  • Permissions to configure diagnostic settings in Entra ID
  • An Azure Event Hub namespace and Event Hub
  • An Azure Storage Account for Filebeat checkpointing
  • Filebeat installed on a server or container

Step 1: Create Azure Event Hub

  1. In the Azure Portal, go to Event Hubs.
  2. Click Create to create a new Event Hub namespace.
  3. Fill in the required details:
    • Subscription: Select your subscription
    • Resource group: Create or select a resource group
    • Namespace name: Choose a unique name
    • Location: Select your preferred region
    • Pricing tier: Select appropriate tier (Basic, Standard, or Premium)
  4. Click Review + create, then Create.
  5. Once the namespace is created, go to the namespace and click + Event Hub to create a new Event Hub.
  6. Name your Event Hub (for example, entra-logs) and click Create.

Step 2: Create shared access policy

  1. In your Event Hub namespace, go to Shared access policies.
  2. Click + Add to create a new policy.
  3. Name the policy (for example, filebeat-policy).
  4. Select the Listen permission.
  5. Click Create.
  6. Click on the newly created policy and copy the Connection string-primary key. You’ll need this for Filebeat configuration.

Step 3: Create Azure Storage Account

Filebeat requires an Azure Storage Account to store checkpoints, ensuring it doesn’t re-read events after a restart.
  1. In the Azure Portal, go to Storage accounts.
  2. Click Create and fill in the required details:
    • Storage account name: Choose a unique name
    • Region: Same as your Event Hub
    • Performance: Standard
    • Redundancy: Select appropriate option (LRS is sufficient for checkpointing)
  3. Click Review + create, then Create.
  4. Once created, go to Access keys and copy the Storage account name and Key.

Step 4: Configure Entra ID diagnostic settings

  1. In the Azure Portal, go to Microsoft Entra ID.
  2. In the left menu, click Diagnostic settings.
  3. Click + Add diagnostic setting.
  4. Configure the setting:
    • Name: Give it a descriptive name (for example, send-to-event-hub)
    • Logs: Select the log categories you want to send:
      • AuditLogs: Administrative activities
      • SignInLogs: User sign-in activities
      • NonInteractiveUserSignInLogs: Service principal sign-ins
      • ServicePrincipalSignInLogs: Managed identity sign-ins
    • Destination details: Check Stream to an event hub
    • Event hub namespace: Select your Event Hub namespace
    • Event hub name: Select your Event Hub
    • Event hub policy name: Select the policy you created
  5. Click Save.

Step 5: Configure Filebeat

Create or edit your filebeat.yml configuration file: 
filebeat.inputs:
  - type: azure-eventhub
    eventhub: "entra-logs"
    consumer_group: "$Default"
    connection_string: "Endpoint=sb://YOUR_NAMESPACE.servicebus.windows.net/;SharedAccessKeyName=YOUR_POLICY;SharedAccessKey=YOUR_KEY"
    storage_account: "YOUR_STORAGE_ACCOUNT_NAME"
    storage_account_key: "YOUR_STORAGE_ACCOUNT_KEY"
    storage_account_container: "filebeat-checkpoint"

processors:
  - decode_json_fields:
      fields: ["message"]
      target: ""
      overwrite_keys: true
  - drop_fields:
      fields: ["message"]

output.elasticsearch:
  hosts: ['https://AXIOM_DOMAIN/v1/datasets/DATASET_NAME/elastic']
  api_key: 'axiom:API_TOKEN'
  allow_older_versions: true

setup.ilm.enabled: false
Replace AXIOM_DOMAIN with api.axiom.co if your organization uses the US region. For more information, see Regions.Replace API_TOKEN with the Axiom API token you have generated. For added security, store the API token in an environment variable.Replace DATASET_NAME with the name of the Axiom dataset where you send your data.Replace the following placeholders:
  • YOUR_NAMESPACE: Your Event Hub namespace name
  • YOUR_POLICY: Your shared access policy name
  • YOUR_KEY: Your shared access policy key
  • YOUR_STORAGE_ACCOUNT_NAME: Your storage account name
  • YOUR_STORAGE_ACCOUNT_KEY: Your storage account key

Step 6: Start Filebeat

Start Filebeat to begin collecting logs: 
filebeat -e -c filebeat.yml
For production deployments, run Filebeat as a service: 
# On Linux with systemd
sudo systemctl start filebeat
sudo systemctl enable filebeat

Verify data in Axiom

  1. Go to the Axiom app and navigate to the Datasets tab.
  2. Select your dataset.
  3. You should see Microsoft Entra ID logs appearing with fields such as:
    • operationName: The operation performed
    • category: Log category (AuditLogs, SignInLogs, etc.)
    • identity: User or service principal identity
    • properties: Detailed log properties
    • time: Timestamp of the event

Alternative: Using Vector

You can also use Vector instead of Filebeat. Here’s a sample Vector configuration: 
[sources.azure_eventhub]
type = "azure_eventhub"
connection_string = "Endpoint=sb://YOUR_NAMESPACE.servicebus.windows.net/;SharedAccessKeyName=YOUR_POLICY;SharedAccessKey=YOUR_KEY"
consumer_group = "$Default"
eventhub = "entra-logs"
storage_account = "YOUR_STORAGE_ACCOUNT_NAME"
storage_account_key = "YOUR_STORAGE_ACCOUNT_KEY"

[transforms.parse_json]
type = "remap"
inputs = ["azure_eventhub"]
source = '''
. = parse_json!(.message)
'''

[sinks.axiom]
type = "axiom"
inputs = ["parse_json"]
token = "API_TOKEN"
dataset = "DATASET_NAME"
Replace API_TOKEN with the Axiom API token you have generated. For added security, store the API token in an environment variable.Replace DATASET_NAME with the name of the Axiom dataset where you send your data.

Troubleshooting

No logs appearing in Axiom

  • Verify that diagnostic settings are enabled in Entra ID
  • Check that the Event Hub is receiving events in the Azure Portal
  • Ensure Filebeat is running without errors (filebeat -e -c filebeat.yml)
  • Verify the connection string and storage account credentials are correct

Filebeat checkpoint errors

  • Ensure the storage account container exists (Filebeat creates it automatically if it has permissions)
  • Verify the storage account key is correct
  • Check that the storage account is in the same region as the Event Hub for better performance

High latency

  • Microsoft Entra ID diagnostic settings can have a delay of 5-15 minutes before logs appear in Event Hub
  • Consider using a higher Event Hub tier for better throughput
  • Ensure Filebeat has sufficient resources (CPU and memory)

Cost considerations

  • Event Hub: Charged based on throughput units and message ingestion
  • Storage Account: Minimal cost for checkpoint storage
  • Data transfer: Egress charges may apply depending on your Azure region
For more information, see Azure Event Hub pricing and Azure Storage pricing.