Has Anyone Integrated Entra Risk Signals into Their SASE Dashboard?

So far, none of the Zero Trust tools we've tried effectively support this integration. Our conditional access policies are designed in such a way that a user flagged as high risk is forced to reset their credentials immediately. Plus, high-risk sign-ins are completely locked out of our SASE and other high-security resources.

I've seen some folks try to use SCIM hacks, but unfortunately, they usually only sync users and basic attributes. If you're after actionable risk data in a SASE platform, the best way is to gather it through Microsoft’s telemetry first, and then send it to your SASE console like Cato for further analysis and enforcement.

Using Graph API with custom scripts is the closest I've come to a solution. You can retrieve risky sign-ins and MFA failures, but integrating leaky token alerts or NHI scores into a SASE dashboard is definitely a challenging DIY task. Be prepared for some gaps unless the vendor supports this natively.

I recommend treating Microsoft’s telemetry as the primary source of truth and then feeding curated alerts into your SASE platform. Instead of hoping for native integration, extract the risk signals using the Graph API or ingest Entra/Defender logs into Sentinel, filter out the necessary data, and push those alerts via syslog or webhook. It's not the easiest solution, but it's currently the best way to obtain reliable and actionable risk data.

Direct integration isn't quite ready for production use yet. You'll need to ingest Defender for Identity or Entra logs into a platform like Sentinel or a SIEM first. Afterwards, you can export curated alerts into your SASE via syslog or API. Anything outside of that is likely to be unsupported and inconsistent, especially if you're focusing on reliability.

Microsoft makes things pretty complicated. Standard IDP connectors only offer the bare minimum. If you want more in-depth data, you usually have to resort to Graph API polling or use Azure Sentinel as an intermediary.