The Ultimate Guide to Tracking: Exporting and Preserving Azure Ad Sign-In Logs

Azure Active Directory (AAD), Microsoft’s cloud-based identity and access management service, plays an integral role in managing users and providing access to resources. An essential part of this management involves tracking sign-in activities. AAD provides sign-in logs that record data such as who attempted to sign in, the application they attempted to access, and whether the sign-in attempt was successful.

• Azure Active Directory (AAD), which handles authentication for Office 365 (O365), does not directly store sign-in logs indefinitely.

However, an often-overlooked aspect of these sign-in logs is their retention period. This blog post aims to shed light on this topic and explore how we can extend this retention period using Azure Blob Storage.

By default, Azure AD keeps sign-in logs for:

• AAD free: 7 days
• AAD P1: 30 days
• AAD P2: 30 days

Azure AD does not store any activity data past 30 days! We are stuck here. What to do?

https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention#how-long-does-azure-ad-store-the-data

Not unless you’re exporting/downloading them somewhere like a Storage account, event hub or SIEM. If you are using Office 365, you can use the Unified audit log, which ingests events from Azure AD as well. Which needs expensive E5 license?

Extending Retention with Azure Blob Storge: –

While the retention periods above may be sufficient for some, many organizations may require a longer retention period for compliance, auditing, or analytical purposes. This is where Azure Blob Storage comes into play.

Azure Blob Storage is a service for storing large amounts of unstructured object data, such as text or binary data. You can use it to store and retrieve any amount of data at anytime from anywhere on the web.

To extend the retention of your AAD sign-in logs, you can export them to Azure Blob Storage. Here’s a simple process on how to achieve that:

1. Create a Storage Account: First, you’ll need an Azure Storage account. You can create one in the Azure portal by clicking on ‘Create a resource‘, then search for and select ‘Storage account‘.
2. Set up Azure Monitor Diagnostics Settings: Next, you’ll want to set up diagnostics settings in Azure Monitor. This allows you to route the logs to the storage account.

Navigate to Azure Active Directory > Monitoring > Audit logs.

Select Export Data Settings.

You can then select ‘Sign-in logs‘ under the ‘Log‘ category and select your Storage account under the ‘Destination details’.

3. Set Retention Period: Finally, in the ‘Diagnostics settings‘, you can specify the retention period for your logs in the ‘Retention (days)‘ field. This is the period for which the logs will be kept in the storage account.

Following these steps, you can now retain your sign-in logs for a longer period in Azure Blob Storage. Remember, managing sign-in logs effectively is crucial for maintaining security and ensuring compliance within your organization. By understanding the retention periods and knowing how to extend them, you can make the most of what Azure Active Directory has to offer.