1. Expel Help Center
  2. Connect Your Technology
  3. L-P Integrations
  4. Microsoft

Microsoft Entra ID via Event Hub Setup for Workbench

This guide is only for Microsoft Entra ID via Event Hub. If you are looking for Microsoft Entra ID Protection, go to Microsoft Entra ID Protection Setup for Workbench.

Prerequisites

  1. You must have a Microsoft Entra ID P1 or P2 license.
  2. You must be able to log into Microsoft Entra as a user assigned the Global Administrator or User Administrator role.
  3. You must have an active Azure subscription.
    • For EventHubs, we recommend you use the Standard tier with 1 throughput unit and no auto-inflate, which starts at $75/month. Your individual pricing will depend on the type of services and usage in your environments.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Enable Console and Cross-Tenant Access for Expel
  2. Create a Custom Entra ID App
  3. Create a Namespace
  4. Create an Event Hub
  5. Add a Shared Access Policy
  6. Add a Role Assignment
  7. Set Up Routing
  8. Add Microsoft Entra ID via Event Hub as a Security Device in Workbench
  9. Troubleshooting

Step 1: Enable Console and Cross-Tenant Access for Expel

Note
If your organization has already created a new Expel account for console access and enabled cross-tenant access for another Microsoft integration, you may skip to Step 2. The same "<Your Organization GUID>@soc.expel.io" account provides access across all Microsoft services.

Enable Console Access for a New Account

Expel requires console access to allow analysts to perform investigation and triage. Without this additional level of information, details cannot be verified by our analysts and an investigation cannot be initiated. For more information, see Why Expel Asks for Console Access.

  1. Log in to the Microsoft Entra Admin Center as a user assigned the Global Administrator or User Administrator role.
  2. Navigate to Entra ID > Users > All Users.
  3. Select User > Invite external user.
  4. On the Basics tab, include the following:
    • Email - enter  "<Your Organization GUID>@soc.expel.io". For example, a123bc45-aa12-123b@soc.expel.io
      • You can find your Organization GUID on the Organizations tab in Workbench.
    • Display Name - enter "Expel SOC".
  5. On the Assignments tab, configure the following:
    • Select Add role.
    • Search for and select Global Reader. Note: This role provides read-only access across most Microsoft 365 and Azure management consoles.
  6. Select Review + invite and then Invite.

The user account will be added to your directory as a guest, and an invitation will be sent to the
email provided.

Enable Cross-Tenant Access

In this step you will add Expel as an external organization and configure inbound trust.

  1. Still in the Microsoft Entra Admin Center, navigate to Entra ID > External Identities > Cross-tenant access settings.
  2. Select the Organizational settings tab.
  3. Select Add organization.
  4. On the Add organization pane, enter Expel’s tenant ID: 1cde81fd-b430-4035-b24d-709921922876
  5. Select Expel from the search results, and then select Add.
  6. In the Organizational settings list, locate the Expel row and select Inbound access.
  7. On the "Inbound access settings - Expel" page, select the Trust settings tab, and configure the following:
    • Select Customize settings.
    • Enable Trust multifactor authentication from Microsoft Entra tenants.
    • Enable Trust compliant devices.
    • Enable Trust Microsoft Entra hybrid joined devices.
    • Under Automatic redemption, enable Automatically redeem invitations with the tenant Expel.
  8. Select Save.

Step 2: Create a Custom Entra ID App

Even if you have already created a custom app for another Microsoft integration, you must still create a custom app solely for Entra ID to avoid any app overload risks.

  1. Log in to Azure.
  2. Navigate to the Microsoft Entra ID service.
  3. Go to Manage > App registrations.
  4. Select New registration.
  5. Fill in the application details as follows:
    • Name - enter "Expel_Entra ID_EventHub", or another name of your choosing.
    • Supported account types - leave the "accounts in this organizational directory only" or "single tenant only" option selected (the first option). You will see one of these two values, depending on your environment.
  6. Select Register.
  7. You will navigate automatically to the Settings page for the app you just created. Copy and save the following two values for use in a later step:
    • Application (client) ID
    • Directory (tenant) ID
  8. Still in the new app, use the left menu to go to Manage > Certificates & secrets.
  9. Select New client secret.
  10. For the new secret:
    • Description - enter a description, such as "Expel API".
    • Expires - select 730 days (24 months).
  11. Select Add.
  12. Copy and save the client secret's Value to a safe place, as you will need it in the next step.

Step 3: Create a Namespace

You will add a namespace to host the event hub, which will collect your logs.

  1. Navigate to the Event Hubs service.
  2. Select Create to create a new namespace.
  3. On the Basics tab:
    • Subscription - select a subscription for the namespace.
    • Resource group - select an existing resource group or create a new one.
    • Namespace name - enter a name of your choosing, or use "expel-namespace".
    • Region - select the region where the namespace will be hosted.
    • Pricing tier - select your pricing tier (we recommend Standard).
  4. The screen will change based on your chosen region and pricing tier. In general, these are our recommendations:
    • For the standard tier, set the throughput units to 1 and leave auto-inflate as disabled.
    • For the premium tier, Azure recommends leaving the processing units as is, but you may choose a different value if you wish; make sure to enable geo-replication.
    • For the dedicated tier, Azure recommends leaving the capacity units as is, but you may choose a different value if you wish; make sure to enter your cluster details and also enable geo-replication.
  5. Leave all other namespace tabs as is.
  6. Select Review + create.
  7. Wait for a successful validation, then select Create.
  8. When the deployment is complete, expand the Deployment details section.
  9. Select the namespace in the list of resources to view its details.
  10. In the namespace details, copy and save the Host name for use in a later step.

Step 4: Create an Event Hub

  1. Still in the namespace, select Event Hub to create a new event hub.
  2. On the Basics tab:
    • Name - enter a name of your choosing, or use "expel-eventhub". Make note of this name, as you will need it in a later step.
    • Partition count - leave as the default, or increase if needed.
    • Cleanup policy - leave as Delete, or choose your preferred option.
    • Retention hours - enter your preferred timeframe.
  3. Select Review + create.
  4. Wait for a successful validation, then select Create.
  5. In the left menu, navigate to Entities > Event Hubs to view your list of event hubs, and verify that your new event hub was created and is active.

Step 5: Add a Shared Access Policy

You will grant Manage access within the policy, to allow the event hub to listen and send the logs.

  1. Still in the list of event hubs, select your new event hub.
  2. In the left menu, navigate to Settings > Shared access policies.
  3. Select Add to add a new policy.
  4. For the new policy:
    • Enter a name of your choosing, or use "expel-policy".
    • Select the Manage checkbox. 
  5. Select Create.
  6. Allow time for your policy to be created before moving to the next step.

Step 6: Add a Role Assignment

Remember that you must already have a subscription available for use before you can complete this step. Before you begin, make sure you remember the name of the custom app you created in Step 2.

  1. Navigate to the Subscriptions service.
  2. Select the subscription you want to use.
  3. Select Access control (IAM).
  4. Select Add > Add role assignment.
  5. Search for and select the Azure Event Hubs Data Receiver role.
  6. Select Next.
  7. On the Add role assignment screen:
    • Leave assign access to as User, group, or service principal.
    • Choose Select members, then search for and select the custom app you created in Step 2.
    • Leave the description blank.
  8. Select Review + assign.
  9. Review the role assignment if you wish, then select Review + assign again to assign the role.
  10. After the role assignment has been added, you will be taken back to the subscription screen.
  11. Select the Role assignments tab, and verify that your custom app is now listed as an Azure Event Hubs Data Receiver.

Step 7: Set Up Routing

You will now set up routing so that the Entra ID logs will go to the event hub.

  1. Navigate to the Microsoft Entra ID service.
  2. Go to Monitoring > Audit logs.
  3. Select Export Data Settings.
  4. Below the list of diagnostic settings, select Add diagnostic setting.
  5. Enter a name of your choosing, or use "expel-entraid-logs".
  6. Choose the following categories and destination details:
    • AuditLogs
    • SignInLogs
    • NonInteractiveUserSignInLogs
    • ManagedIdentitySignInLogs
    • Stream to an event hub
  7. Within the destination details, choose the subscription, event hub namespace, and event hub from earlier in the guide, and leave the policy name as the default.

  1. Select Save.

Step 8: Add Microsoft Entra ID via Event Hub as a Security Device in Workbench

Now, you can add a security device in Workbench to complete the integration. Before you begin, make sure you have the values you saved earlier in this guide (the Directory ID, Application ID, Client Secret value, host name, and event hub name).

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices. If you have multiple organizations, you must select the appropriate organization name from the list.
  3. Select Add Security Device.
  4. In the search box, type “Entra” and then select the Microsoft Entra ID via Event Hub integration.
  5. Give the integration a name:
    • Existing M365 customers - enter a name that matches your existing Microsoft 365 plugin. For example, if your legacy M365 plugin is called "M365 - prod", name this "EntraID - prod". If you have multiple M365 plugins (for example, separate lab, staging, and prod environments), create a corresponding Entra ID plugin for each with a matching name.
    • New customers - enter a name that might help you more easily identify this integration, such as “CompanyName EntraID_EventHub”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
  6. Complete the remaining fields as follows:
    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Directory ID - enter the Directory (tenant) ID you saved earlier in the guide.
    • Application ID - enter the Application (client) ID you saved earlier in the guide.
    • Client secret - enter the Client Secret value you saved earlier in the guide.
    • Event hub namespace host name - enter the host name you saved earlier in the guide.
    • Event hub name - enter the name of the event hub you created in Step 4.
    • Consumer group name - leave as the default, unless you are using a custom consumer group in Azure and need to update the value.
  7. Select Save.
  8. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    • To check on the status, select the downward arrow for your device in the first column and choose View details.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
    • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Troubleshooting

If your device does not connect successfully:

  1. Check to be sure you copied the correct values from Azure:
    • Application (client) ID - in Step 2.
    • Directory (tenant) ID - in Step 2.
    • Client Secret value - make sure you copied the value and not the secret ID in Step 1.
    • Host name - in Step 3.
    • Event hub name - in Step 4.
  2. Check to be sure you entered the values in the correct fields in the security device in Workbench.
  3. If your device still does not connect successfully after verifying these values, contact Support for assistance.

Related articles