You may already know that you can have Azure AD Diagnostic logs; but do you know you can now send these logs to Log Analytics for consolidation and better analysis?
To do so, just logon to your Azure AD administration portal (https://aad.portal.azure.com) or Azure portal (https://portal.azure.com) and reach out the Azure AD configuration blade.
From there, scroll down to reach the Monitoring section and click on the Diagnostic settings – if you did not already had it enabled, you will be requested to enable it
Then just choose the option Send to Log Analytics
Select (or create a new one) the Log Analytics workspace to save the log
Enable the log options you want to enabled – off course the recommendation is to enable both Audit and SignIn
Once completed, you have to wait a little (about 15 min) before you will start seeing Azure AD logs in your Log Analytics workspace
You can use the the predefined views (.omsview file) Azure AD Log Analytics available from https://aka.ms/AADLogAnalyticsviews
Then import these views (one by one) by going to the View Designer and then import and save