Note: Azure Active Directory is being rebranded to Microsoft Entra ID
This post documents the different types of free logs you have access to out of the box when you create and login to an Azure Tenant for the first time. These logs are enabled by default and can not be deleted by any privileged role.
Azure Active Directory (Microsoft Entra ID) Logs
Azure AD – Sign-in logs
Information about sign-ins such as who logged in, successful and failed logins, and how your resources are used by your users.
Azure AD – Audit Logs
Information about changes applied to your tenant such as users and group management or updates applied to your Azure AD resources. For example, who created or amended a user in Azure AD.
Azure AD – Provisioning
Activities performed by the provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.
Azure AD | Types of Logs | Retention | License |
Sign-In | 7 Days 30 days | Azure AD Free Azure AD P1/P2 | |
Audit | 7 Days 30 days | Azure AD Free Azure AD P1/P2 | |
Provisioning | 7 Days 30 days | Azure AD Free Azure AD P1/P2 | |
Azure AD MFA Usage | 30 Days | All licenses |
Risky users and sign-in logs
The log retention for risky users and sign-in are different and have been documented below,
Log type | Azure AD Free | Azure AD P1 | Azure AD P2 |
---|---|---|---|
Risky users | No limit | No limit | No limit |
Risky sign-ins | 7 days | 30 days | 90 days |
Risky sign-in – an indicator for a sign-in attempt by someone who isn’t the legitimate owner of a user account.
Risky Users – A risky user is an indicator for a user account that might have been compromised.
Azure Subscription Activity Logs
Activity log events are retained in Azure for 90 days
Activity includes who created/deleted or configured a resource, such as a Virtual Machine, Virtual Network, Azure Firewall, VNET Peering, enabled a backup, deleted a backup and more.
Azure Metrics
By default metrics are stored for 93 days. Metrics are numerical values such as CPU usage on a Virtual Machine.
There’s no charge for entries during this time regardless of volume. For more functionality, such as longer retention, create a diagnostic setting and route the entries to another location based on your needs.
If you wish to learn more about Azure AD Logs, visit the following Microsoft Learn link,
Monitor and maintain Azure Active Directory
For further details on Activity logs at the Azure subscription level, visit the following link,
Azure activity log