Event Hub Streaming
For real-time, high-volume ingestion, stream Entra logs via Azure Event Hub. This provides the lowest latency but requires the most infrastructure setup.
When to use
- You need sub-minute latency on sign-in events
- High volume — Event Hub partitions scale natively
- Decouples Entra from Mission Control (Event Hub buffers events)
When NOT to use
- Minute-level latency is acceptable — use HTTP Scraper or Logs Scraper
- You want to avoid managing Event Hub + bridge consumer infrastructure
- Additional Azure costs for throughput units are not justified
Prerequisites
- Azure Monitor Diagnostic Settings configured to export SignInLogs and AuditLogs to an Event Hub
- Azure Event Hub namespace with a dedicated hub for Entra logs
- Bridge consumer that reads from Event Hub and publishes to a Mission Control-supported backend
- Entra ID P1 or P2 license — Microsoft does not generate these log categories without it
Architecture
The PubSub scraper natively supports GCP Pub/Sub. For Azure Event Hub, you need a bridge:
- Azure Event Hub receives logs from Entra ID Diagnostic Settings (same Diagnostic Settings setup as the Logs Scraper approach)
- Bridge consumer reads from Event Hub and publishes to a supported backend:
- Write to GCP Pub/Sub, then use the PubSub scraper
- Write to a log backend (OpenSearch, Loki), then use the Logs scraper
- Write to a webhook endpoint, then use the HTTP scraper in push mode
tip
If sub-minute latency is not required, the HTTP scraper or Logs scraper approaches are simpler and require less infrastructure.
See the PubSub scraper reference for the GCP Pub/Sub configuration pattern.