Onboard Microsoft Azure - Follow the Azure onboarding wizard, and Cortex creates a custom authentication template to be executed in Azure. - Administrator Guide - Cortex XDR - Cortex - Security Operations

You can onboard Microsoft Entra ID independently of a full tenant-level onboarding. When you select the Onboard Microsoft Entra ID only only option during onboarding with Tenant scope, Cortex XDR connects to Entra ID to unlock identity-based capabilities, including Cloud Infrastructure Entitlement Management (CIEM), identity posture assessment, and Entra ID sign-in log ingestion. This approach enables identity visibility without requiring Cortex XDR to scan or manage the broader Azure tenant environment.

When you onboard Entra ID only, Cortex XDR operates in collection-only mode. Scan mode selection and scope modification are not available for this configuration. Both Terraform and ARM authentication templates are supported, and manual onboarding is also available. Cortex XDR generates the appropriate authentication template based on your selection, and you execute it in Microsoft Azure to complete the onboarding process.

If you enable audit log collection with Entra ID-only onboarding using automated collection, Cortex XDR ingests sign-in and activity log categories including: SignInLogs, AuditLogs, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, ManagedIdentitySignInLogs, ProvisioningLogs, ADFSSignInLogs, and MicrosoftGraphActivityLogs. Administrative category logs are excluded from automated collection. If you configure custom diagnostic settings, log ingestion follows your specified configuration.

You can later expand an Entra ID-only configuration to full tenant scope by editing the onboarding configuration. This allows you to begin with identity-focused onboarding and transition to comprehensive tenant coverage as requirements evolve.