Introduction

Azure Sentinel (Microsoft Sentinel) data connectors ingest logs from various sources like Azure services, third-party APIs, and on-premises systems. When connectors fail, security analytics lose visibility and detection rules stop working.

Symptoms

Connector status disconnected:

```bash $ az sentinel data-connector show \ --resource-group my-rg \ --workspace-name my-workspace \ --data-connector-id azure-activity-log

"status": "Disconnected" ```

No data in logs:

# Returns 0 when connector not ingesting ```

Authentication error:

json
{
  "error": {
    "code": "AuthenticationFailed",
    "message": "Failed to authenticate with the data source. Token expired or invalid"
  }
}

Common Causes

  1. 1.OAuth token expired - Connector authorization expired
  2. 2.API credentials invalid - Third-party API keys or secrets expired
  3. 3.Data source disabled - Source stopped sending data
  4. 4.Network connectivity - Firewall blocking data flow
  5. 5.Rate limiting - API quota exceeded
  6. 6.Workspace permissions - Missing RBAC permissions
  7. 7.Connector configuration - Invalid settings or filters

Step-by-Step Fix

  1. 1.Check logs for specific error messages
  2. 2.Verify configuration settings
  3. 3.Test network connectivity
  4. 4.Review recent changes
  5. 5.Apply corrective action
  6. 6.Verify the fix

Step 1: List All Data Connectors

```bash # List all connectors in workspace az sentinel data-connector list \ --resource-group my-rg \ --workspace-name my-workspace \ --query '[].{Name:name,Kind:kind,State:properties.state,Type:properties.dataTypes}'

# Check specific connector az sentinel data-connector show \ --resource-group my-rg \ --workspace-name my-workspace \ --data-connector-id azure-activity-log ```

Step 2: Re-enable Disconnected Connector

```bash # Enable Azure Activity Log connector az sentinel data-connector update \ --resource-group my-rg \ --workspace-name my-workspace \ --data-connector-id azure-activity-log \ --state Enabled

# Enable Microsoft 365 connector az sentinel data-connector update \ --resource-group my-rg \ --workspace-name my-workspace \ --data-connector-id microsoft-365 \ --state Enabled

# Verify connector state az sentinel data-connector show \ --resource-group my-rg \ --workspace-name my-workspace \ --data-connector-id azure-activity-log \ --query 'properties.state' ```

Step 3: Re-authorize OAuth Connectors

```bash # For connectors requiring OAuth (Office 365, GitHub, etc.) # Via Azure Portal: # 1. Open Microsoft Sentinel # 2. Go to Data connectors # 3. Select the connector # 4. Click "Reconnect" or "Authorize" # 5. Sign in with appropriate credentials

# Check authorization status az sentinel data-connector show \ --resource-group my-rg \ --workspace-name my-workspace \ --data-connector-id office-365 \ --query 'properties.{Auth:auth,Connected:connectedState}' ```

Step 4: Check Third-Party API Credentials

```bash # For API-based connectors (AWS, Salesforce, etc.) # Check if credentials are valid

az sentinel data-connector show \ --resource-group my-rg \ --workspace-name my-workspace \ --data-connector-id aws-cloudtrail \ --query 'properties.credentials'

# Update expired credentials az sentinel data-connector update \ --resource-group my-rg \ --workspace-name my-workspace \ --data-connector-id aws-cloudtrail \ --aws-role-arn "arn:aws:iam::123456789:role/SentinelRole" \ --aws-access-key-id "NEW_KEY" \ --aws-secret-access-key "NEW_SECRET" ```

Step 5: Verify Data Source Configuration

```bash # Check if data source is sending data # For Azure Activity Log: az monitor activity-log list \ --query "[?eventTimestamp > ago(1h)].count(@)"

# For diagnostic settings: az monitor diagnostic-settings show \ --resource /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-keyvault \ --query '{Logs:logs,Metrics:metrics}'

# Enable diagnostic if missing az monitor diagnostic-settings create \ --name sentinel-logs \ --resource /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-keyvault \ --workspace /subscriptions/SUB/resourcegroups/my-rg/providers/microsoft.operationalinsights/workspaces/my-workspace \ --logs '[{"category":"AuditEvent","enabled":true}]' ```

Step 6: Check Log Analytics Workspace

```bash # Verify workspace is accessible az monitor log-analytics workspace show \ --workspace-name my-workspace \ --resource-group my-rg \ --query '{Name:name,Status:provisioningState,Retention:retentionInDays}'

# Check workspace permissions az role assignment list \ --scope /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.OperationalInsights/workspaces/my-workspace \ --query '[].{Role:roleDefinitionName,Principal:principalName}' ```

Step 7: Test Data Ingestion

# If count is 0, connector not ingesting ```

Step 8: Check Network Connectivity

```bash # For on-premises CEF/Syslog connectors # Check agent connectivity az monitor log-analytics workspace show \ --workspace-name my-workspace \ --resource-group my-rg \ --query 'properties.dataSourceOnPremises'

Step 9: Handle Rate Limiting

```bash # Check if API rate limits exceeded az sentinel data-connector show \ --resource-group my-rg \ --workspace-name my-workspace \ --data-connector-id threat-intelligence \ --query 'properties.lastDataReceived'

# Adjust polling frequency if needed az sentinel data-connector update \ --resource-group my-rg \ --workspace-name my-workspace \ --data-connector-id threat-intelligence \ --polling-frequency "PT30M" # Poll every 30 minutes ```

Step 10: Monitor Connector Health

```bash # Create alert for connector failures az monitor metrics alert create \ --name sentinel-connector-health \ --resource-group my-rg \ --scopes /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.OperationalInsights/workspaces/my-workspace \ --condition "avg IngestionRate < 1" \ --window-size 1h

Common Data Connector Types

ConnectorData TypeAuthentication
Azure ActivityAzureActivityBuilt-in
Microsoft 365OfficeActivityOAuth
AWS CloudTrailAWSCloudTrailIAM Role
CEF/SyslogSyslogAgent
Threat IntelThreatIntelligenceAPI Key
GitHubGitHubAuditOAuth

Verification

```bash # After fixing connector # Check connector state az sentinel data-connector show \ --resource-group my-rg \ --workspace-name my-workspace \ --data-connector-id azure-activity-log \ --query '{Name:name,State:properties.state}'

# Should show state: "Enabled"

# Should show > 0 if events are occurring ```

Prevention

To prevent Azure Sentinel connector issues from recurring, implement these proactive measures:

1. Monitor Connector Health

yaml
groups:
- name: azure-sentinel
  rules:
  - alert: AzureSentinelConnectorIngestionStopped
    expr: |
      rate(azure_sentinel_events_ingested[1h]) == 0
    for: 1h
    labels:
      severity: warning
    annotations:
      summary: "Azure Sentinel connector stopped ingesting data"

2. Set Up Ingestion Alerts

bash
# Create alert for low ingestion rate
az monitor scheduled-query create \
  --resource-group my-rg \
  --workspace-name my-workspace \
  --name low-ingestion-alert \
  --frequency 15 \
  --query 'AzureActivity | where TimeGenerated > ago(1h) | count()' \
  --condition "count < 1" \
  --severity 2 \
  --action-group /subscriptions/SUB/resourceGroups/my-rg/providers/microsoft.insights/actiongroups/my-action-group

3. Document Connector Dependencies

```bash # Document all connector dependencies cat << 'EOF' > /etc/sentinel/connectors.conf # Azure Activity - Built-in, no auth required # Microsoft 365 - OAuth, requires M365 admin consent # AWS CloudTrail - IAM role, requires AWS IAM setup # CEF/Syslog - Agent, requires OMS agent on collector

# Review quarterly for: # - Token expiration # - Certificate renewal # - API changes EOF ```

Best Practices Checklist

  • [ ] Monitor connector ingestion rate
  • [ ] Set up ingestion alerts
  • [ ] Document connector dependencies
  • [ ] Review token/certificate expiration
  • [ ] Test connector functionality monthly
  • [ ] Keep connector documentation updated
  • [Fix Azure Security Center False Positive Alerts](/articles/fix-azure-security-center-alert-false)
  • [Fix Azure Log Analytics Workspace Not Collecting](/articles/fix-azure-log-analytics-workspace-not-collecting)
  • [Fix Azure Monitor Alerts Not Triggering](/articles/fix-azure-monitor-alerts-not-triggering)
  • [Technical troubleshooting: Fix Azure Aks Pod Crashloopbackoff Issue in Azure](azure-aks-pod-crashloopbackoff)
  • [Technical troubleshooting: Fix Azure Api Management Policy Expression Runtime](azure-api-management-policy-expression-runtime-error)
  • [Technical troubleshooting: Fix Azure App Configuration Feature Flag Not Refre](azure-app-configuration-feature-flag-not-refreshing)
  • [Technical troubleshooting: Fix Azure App Service 503 Always On Disabled Issue](azure-app-service-503-always-on-disabled)
  • [Technical troubleshooting: Fix Azure Application Gateway Err SSL Unrecognized](azure-application-gateway-err-ssl-unrecognized-name-alert)

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix Azure Sentinel Data Connector Broken", "description": "Troubleshoot Azure Sentinel data connector failures. Fix authentication, connection status, and data source configuration.", "url": "https://www.fixwikihub.com/fix-azure-sentinel-connector-broken", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-03T15:30:57.866Z", "dateModified": "2026-04-03T15:30:57.866Z" } </script>