Intune → Sentinel device pipeline

Security teams use a log collector the way airports use one arrivals board: it puts scattered events in one place. Microsoft published an April 10 guide showing how to send Microsoft Intune device logs into Microsoft Sentinel, its cloud security monitor, through Azure Monitor and Log Analytics. (techcommunity.microsoft.com) The setup starts in the Microsoft Intune admin center under Reports > Diagnostics settings, where administrators route Intune audit and operational logs to a Log Analytics workspace with Microsoft Sentinel enabled. Microsoft says the feed can be used to alert on devices that fall out of compliance and on policy changes. (techcommunity.microsoft.com) Intune is Microsoft’s device manager for Windows, macOS, iOS, and Android, and its diagnostic settings can send logs to Azure Storage, Event Hubs, or Log Analytics. Microsoft says those logs include audit and operational data, and that schemas can change over time. (learn.microsoft.com) Sentinel is Microsoft’s security information and event management system, which means it collects records from many products so analysts can search them together. Microsoft says its built-in connectors already ingest data from services including Microsoft Defender XDR, Microsoft Entra ID, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. (learn.microsoft.com) The practical link is identity. Microsoft Entra sign-in records include device details such as whether a device was compliant, managed, or Microsoft Entra hybrid joined, which lets analysts compare a login with the state of the machine that made it. (learn.microsoft.com) Microsoft’s own sign-in health guidance already treats “compliant device” and “managed device” as conditions worth monitoring in Conditional Access. Pushing Intune logs into Sentinel gives analysts a second record set to check when a sign-in or policy decision looks suspicious. (learn.microsoft.com) Sentinel’s User and Entity Behavior Analytics, which looks for unusual patterns across users and devices, depends on connected data sources to surface anomalies. Microsoft says analysts can investigate those entities in the Defender portal and add custom timeline activities from connected logs. (learn.microsoft.com, learn.microsoft.com) The timing also fits Microsoft’s broader platform shift. Microsoft says Sentinel will no longer be supported in the Azure portal after March 31, 2027, and customers are being moved toward the Microsoft Defender portal for a more unified security operations workflow. (learn.microsoft.com, learn.microsoft.com) So the new Intune-to-Sentinel guidance is less about a brand-new product than about wiring device management into the same console where identity, endpoint, and cloud alerts already land. For security teams, that means a failed sign-in, a noncompliant laptop, and a policy change can be investigated as parts of one incident instead of three separate dashboards. (techcommunity.microsoft.com, learn.microsoft.com, learn.microsoft.com)