Enabling User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel requires permissions in both Azure Active Directory (Microsoft Entra ID) and Microsoft Sentinel because UEBA integrates identity data from Azure AD to perform behavioral analytics and anomaly detection.

Here’s the reasoning based on Microsoft’s official documentation and the principle of least privilege:

1️ ⃣ Azure AD role → Security administ rator

The Security Administrator role in Azure AD allows a user to manage security-related features , including security settings and integration of identity signals with other services like Microsoft Sentinel.

This role has the rights necessary to grant Sentinel access to Azure AD data for UEBA without requiring broader, high-privilege roles such as Global Administrator .

Microsoft documentation explicitly recommends the Security Administrator role to enable UEBA because Sentinel uses Azure AD identity inf ormation and risk detections for its entity behavior modeling.

2️ ⃣ Azure role → Microsoft Sentinel Contributor

Within Sentinel, the Microsoft Sentinel Contributor role allows a user to configure settings, enable features like UEBA, and manage analytic rule s, workbooks, and connectors , but does not grant rights to access workspace data directly (which would be excessive).

It’s the appropriate role for managing Sentinel features while adhering to the least privilege principle.

The Sentinel Responder role is t oo limited—it can handle incidents but cannot enable or configure UEBA.

✅ Final Answer:

Azure AD role: Security administrator

Azure role: Microsoft Sentinel Contributor