Default logs provided for free in Microsoft Azure

Reading Time: 2 minutes

Note: Azure Active Directory is being rebranded to Microsoft Entra ID

This post documents the different types of free logs you have access to out of the box when you create and login to an Azure Tenant for the first time. These logs are enabled by default and can not be deleted by any privileged role.

Azure Active Directory (Microsoft Entra ID) Logs

Azure ADSign-in logs
Information about sign-ins such as who logged in, successful and failed logins, and how your resources are used by your users.

Azure AD – Audit Logs
Information about changes applied to your tenant such as users and group management or updates applied to your Azure AD resources. For example, who created or amended a user in Azure AD.

Azure AD – Provisioning 
Activities performed by the provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.

Azure ADTypes of LogsRetentionLicense
7 Days
30 days
Azure AD Free
Azure AD P1/P2
Audit7 Days
30 days
Azure AD Free
Azure AD P1/P2
Provisioning7 Days
30 days
Azure AD Free
Azure AD P1/P2
Azure AD MFA Usage30 DaysAll licenses

Risky users and sign-in logs

The log retention for risky users and sign-in are different and have been documented below,

Log typeAzure AD FreeAzure AD P1Azure AD P2
Risky usersNo limitNo limitNo limit
Risky sign-ins7 days30 days90 days
Risky users and workload identities are not deleted until the risk has been remediated.

Risky sign-in – an indicator for a sign-in attempt by someone who isn’t the legitimate owner of a user account.

Risky Users – A risky user is an indicator for a user account that might have been compromised.

Azure Subscription Activity Logs

Activity log events are retained in Azure for 90 days

Activity includes who created/deleted or configured a resource, such as a Virtual Machine, Virtual Network, Azure Firewall, VNET Peering, enabled a backup, deleted a backup and more.

Azure Metrics

By default metrics are stored for 93 days. Metrics are numerical values such as CPU usage on a Virtual Machine.

There’s no charge for entries during this time regardless of volume. For more functionality, such as longer retention, create a diagnostic setting and route the entries to another location based on your needs.

If you wish to learn more about Azure AD Logs, visit the following Microsoft Learn link,
Monitor and maintain Azure Active Directory

For further details on Activity logs at the Azure subscription level, visit the following link,
Azure activity log