Getting Started
Prerequisites
- Azure subscription with Log Analytics workspace
- Multi-tenant Entra ID app registration with admin consent
- Node.js 20+
Step 1: App Registration
- Entra ID → App registrations → New registration
- Configure:
- Name, e.g.
Beacon - Supported account types: Accounts in any organizational directory (Multitenant)
- Redirect URI: Leave blank
- Name, e.g.
- Create
Note these values
| Value | Location |
|---|---|
| Application (client) ID | Overview |
| Directory (tenant) ID | Overview |
Add client secret
- Certificates & secrets → Client secrets → New client secret
- Description:
Beacon Azure Function - Expiry: 6 months
- Add
- Copy the Value immediately, you won't see it again
Add API permissions
Microsoft Graph (Application permissions):
| Permission | Purpose |
|---|---|
| AuditLog.Read.All | Sign-in logs |
| SecurityAlert.Read.All | Defender alerts |
| IdentityRiskEvent.Read.All | Identity Protection |
| Directory.Read.All | Resolve user/group details |
Office 365 Management APIs (Application permissions):
- Add a permission → APIs my organization uses
- Search:
Office 365 Management APIs - Application permissions:
| Permission | Purpose |
|---|---|
| ActivityFeed.Read | Audit logs |
| ActivityFeed.ReadDlp | DLP events |
Grant admin consent
- API permissions → Grant admin consent for [tenant name]
- Confirm
Step 2: Log Analytics Workspace
- Azure Portal → Log Analytics workspaces → Create
- Configure:
- Subscription: (your sub)
- Resource group, e.g.
rg-beacon - Name, e.g.
law-beacon - Region: (pick a region close by)
- Review + Create
Note these values
| Value | Location |
|---|---|
| Workspace ID | Overview |
| Resource ID | Properties → Resource ID |
Step 3: Data Collection Endpoint (DCE)
- Azure Portal → Monitor → Data Collection Endpoints → Create
- Configure:
- Name, e.g.
dce-beacon - Subscription: (your sub)
- Resource group: Same as Log Analytics workspace
- Region: Same as Log Analytics workspace
- Name, e.g.
- Create
Note this value
| Value | Location |
|---|---|
| Logs Ingestion URI | Overview |
Step 4: Custom Table and Data Collection Rule (DCR)
- Azure Portal → Log Analytics workspace → Tables → Create → New custom log (DCR-based)
- Configure:
- Table name:
Beacon_Alerts(becomesBeacon_Alerts_CL) - Data collection endpoint: Select DCE created in Step 3
- Data collection rule name, e.g.
dcr-beacon-alerts
- Table name:
- Next: Upload sample.json to define schema
- Review transformation (default is fine)
- Create
Step 5: Grant App Permission to DCR
- Open the DCR just created (
dcr-beacon-alerts) - Go to Access control (IAM) → Add role assignment
- Role:
Monitoring Metrics Publisher - Next → User, group, or service principal → Select members → Search for the app registration (
Beacon) - Select → Review + assign
Note these values
| Value | Location |
|---|---|
| Immutable ID | Overview → Immutable Id |
| Stream name | Configuration → Data sources → Data source column |
Stream name should be: Custom-Beacon_Alerts_CL
Step 6: Storage Account
Used for Azure Functions runtime and alert deduplication.
- Azure Portal → Storage accounts → Create
- Configure:
- Subscription: (your sub)
- Resource group: Same as Log Analytics workspace
- Storage account name, e.g.
stbeacon(must be globally unique) - Region: Same as Log Analytics workspace
- Performance: Standard
- Redundancy: LRS
- Review + Create
Get connection string
- Open storage account → Access keys
- Copy Connection string for key1
The following tables are auto-created on first run:
AlertDedup- 5-minute window for duplicate log suppressionNotificationState- 1-hour window for notification throttling
Step 7: Function App
- Azure Portal → Function App → Create
- Configure:
- Subscription: (your sub)
- Resource group: Same as Log Analytics workspace
- Function App name, e.g.
func-beacon(must be globally unique) - Runtime stack: Node.js
- Version: 20 LTS
- Region: Same as Log Analytics workspace
- Operating System: Linux
- Plan type: Consumption (Serverless)
- Review + Create
Configure app settings
- Open Function App → Configuration → Application settings
- Add these:
| Name | Value |
|---|---|
| TENANT_ID | (your MSP tenant ID) |
| CLIENT_ID | (app registration client ID) |
| CLIENT_SECRET | (app registration secret) |
| LOG_ANALYTICS_ENDPOINT | (DCE Logs Ingestion URI) |
| LOG_ANALYTICS_RULE_ID | (DCR Immutable ID) |
| LOG_ANALYTICS_STREAM | Custom-Beacon_Alerts_CL |
| AZURE_STORAGE_CONNECTION_STRING | (storage account connection string) |
- Save
Note:
AzureWebJobsStorageis created automatically when you create the Function App and link a storage account. It's required for the Functions runtime.AZURE_STORAGE_CONNECTION_STRINGis a separate setting used by Beacon for alert deduplication tables.
Step 8: Admin Consent for Client Tenants
Generate consent URL for each client:
https://login.microsoftonline.com/{client-tenant-id}/adminconsent?client_id={your-app-client-id}Open the consent URL, sign in with Global Admin, and approve to the permissions. You'll get a redirect URL error, but the app consent will still work.
Verify Setup
Run the Function locally or trigger manually. Wait 2-3 minutes, then query:
kusto
Beacon_Alerts_CL
| order by TimeGenerated desc
| take 10