Guidance on architecture, supported data ingestion methods, and recommended Azure services to create a consolidated multi-service dashboard.

I’ve built this type of consolidated security dashboard a few times, combining Intune, Defender, M365, Sentinel, and Entra signals into one place. The core idea is always the same: pull everything into a single Log Analytics Workspace, then build your dashboards on top of it.

Here’s the simplest and most reliable architecture:

1. Use Microsoft Graph for anything that doesn’t have native Sentinel connectors. Intune, Entra ID, and some Defender datasets only expose the deeper metrics through Graph.

I usually run scheduled jobs in: Azure Functions / Logic Apps or an Automation Account to pull the data and write it into a custom table in Log Analytics.

2. Use the built-in Sentinel connectors wherever possible. Defender for Endpoint, Defender for Office 365, Defender for Identity, and the M365 security logs already have connectors that stream straight into Sentinel and LAW without extra work.

3. For external data sources (AWS, GCP, custom APIs), Azure Workbooks can read from multiple sources. Workbooks can combine: Log Analytics - Azure Resource Graph - Azure Monitor Metrics - Custom REST APIs (via parameters) - External JSON endpoints So yes, you can bring AWS, GCP, or any API into the same dashboard as long as you expose it in a consumable way.

4. Store everything in a central LA. This makes the KQL layer clean and lets you build one unified workbook on top of all services.

Typical setup that works well: Sentinel + LA Workspace as the data platform + Graph-based ingestion for Entra, Intune, and any gaps in the Defender stack with native connectors for Defender and M365 - A workbook or Power BI dashboard on top for visualization.

Optional Event Hub if you need to stage external logs before writing to LAW