Getting Started
Prerequisites
- Azure subscription with Log Analytics workspace
- Multi-tenant Entra ID app registration with admin consent
- Node.js 20+
Step 1: App Registration
- Entra ID → App registrations → New registration
- Configure:
- Name:
Beacon - Supported account types: Accounts in any organizational directory (Multitenant)
- Redirect URI: Leave blank
- Name:
- Create
Note these values
| Value | Location |
|---|---|
| Application (client) ID | Overview |
| Directory (tenant) ID | Overview |
Add client secret
- Certificates & secrets → Client secrets → New client secret
- Description:
Beacon POC - Expiry: 6 months
- Add
- Copy the Value immediately, you won't see it again
Add API permissions
Microsoft Graph (Application permissions):
| Permission | Purpose |
|---|---|
| AuditLog.Read.All | Sign-in logs |
| SecurityAlert.Read.All | Defender alerts |
| IdentityRiskEvent.Read.All | Identity Protection |
| Directory.Read.All | Resolve user/group details |
Office 365 Management APIs (Application permissions):
- Add a permission → APIs my organization uses
- Search:
Office 365 Management APIs - Application permissions:
| Permission | Purpose |
|---|---|
| ActivityFeed.Read | Audit logs |
| ActivityFeed.ReadDlp | DLP events (optional) |
Grant admin consent
- API permissions → Grant admin consent for
- Confirm
Step 2: Resource Group
- Azure Portal → Resource groups → Create
- Configure:
- Subscription: (your sub)
- Resource group:
rg-beacon - Region: (your preferred)
- Create
Step 3: Log Analytics Workspace
- Azure Portal → Log Analytics workspaces → Create
- Configure:
- Subscription: (your sub)
- Resource group:
rg-beacon - Name:
law-beacon - Region: (same as resource group)
- Review + Create
Note these values
| Value | Location |
|---|---|
| Workspace ID | Overview |
| Resource ID | Properties → Resource ID |
Step 4: Data Collection Endpoint (DCE)
- Azure Portal → Monitor → Data Collection Endpoints → Create
- Configure:
- Name:
dce-beacon - Subscription: (your sub)
- Resource group:
rg-beacon - Region: Same as Log Analytics workspace
- Name:
- Create
Note this value
| Value | Location |
|---|---|
| Logs Ingestion URI | Overview |
Step 5: Custom Table and Data Collection Rule (DCR)
- Azure Portal → Log Analytics workspace → Tables → Create → New custom log (DCR-based)
- Configure:
- Table name:
Beacon_Alerts(becomesBeacon_Alerts_CL) - Data collection endpoint: Select
dce-beacon - Data collection rule name:
dcr-beacon-alerts
- Table name:
- Next: Upload sample.json to define schema
- Review transformation (default is fine)
- Create
Get DCR values
- Azure Portal → Monitor → Data Collection Rules
- Open
dcr-beacon-alerts
| Value | Location |
|---|---|
| Immutable ID | Overview → Immutable Id |
| Stream name | Configuration → Data sources → Data source column |
Stream name should be: Custom-Beacon_Alerts_CL
Step 6: Grant App Permission to DCR
- Open DCR (
dcr-beacon-alerts) → Access control (IAM) → Add role assignment - Role:
Monitoring Metrics Publisher - Next → User, group, or service principal → Select members → Search for
Beacon - Select → Review + assign
Step 7: Storage Account
Used for Azure Functions runtime and alert deduplication.
- Azure Portal → Storage accounts → Create
- Configure:
- Subscription: (your sub)
- Resource group:
rg-beacon - Storage account name:
stbeacon(must be globally unique) - Region: (same as other resources)
- Performance: Standard
- Redundancy: LRS
- Review + Create
Get connection string
- Open storage account → Access keys
- Copy Connection string for key1
The following tables are auto-created on first run:
AlertDedup- 5-minute window for duplicate log suppressionNotificationState- 1-hour window for notification throttling
Step 8: Function App
- Azure Portal → Function App → Create
- Configure:
- Subscription: (your sub)
- Resource group:
rg-beacon - Function App name:
func-beacon(must be globally unique) - Runtime stack: Node.js
- Version: 20 LTS
- Region: (same as other resources)
- Operating System: Linux
- Plan type: Consumption (Serverless)
- Review + Create
Configure app settings
- Open Function App → Configuration → Application settings
- Add these:
| Name | Value |
|---|---|
| TENANT_ID | (your MSP tenant ID) |
| CLIENT_ID | (app registration client ID) |
| CLIENT_SECRET | (app registration secret) |
| LOG_ANALYTICS_ENDPOINT | (DCE Logs Ingestion URI) |
| LOG_ANALYTICS_RULE_ID | (DCR Immutable ID) |
| LOG_ANALYTICS_STREAM | Custom-Beacon_Alerts_CL |
| AZURE_STORAGE_CONNECTION_STRING | (storage account connection string) |
- Save
Note:
AzureWebJobsStorageis created automatically when you create the Function App and link a storage account. It's required for the Functions runtime.AZURE_STORAGE_CONNECTION_STRINGis a separate setting used by Beacon for alert deduplication tables.
Step 9: Teams Webhook (Optional)
- Teams → Select channel for alerts
- Channel settings → Connectors → Incoming Webhook
- Configure:
- Name:
Beacon Alerts - Upload icon (optional)
- Name:
- Create → Copy webhook URL
- Add to Function App settings:
| Name | Value |
|---|---|
| TEAMS_WEBHOOK_URL | (webhook URL) |
Step 10: Admin Consent for Client Tenants
Generate consent URL for each client:
https://login.microsoftonline.com/{client-tenant-id}/adminconsent?client_id={your-app-client-id}Have client Global Admin open link and approve. If you haven't configured a redirect URL, you'll get an error, but the app consent should still work.
Verify Setup
Run the Function locally or trigger manually. Wait 2-3 minutes, then query:
kusto
Beacon_Alerts_CL
| order by TimeGenerated desc
| take 10