Skip to content
SecureCloud Experts SecureCloud Experts
Entra ID Thumbnail.
Published on

Entra ID Sign-In Logs: Extended Data Retention Beyond 30 Days with Log Analytics Introduction

Introduction

Entra ID, formerly known as Azure Active Directory, offers an indispensable tool for monitoring user activity and detecting security threats in Microsoft 365 and Azure environments through its sign-in logs. By default, these logs are retained for only 30 days. However, if your organization requires longer retention periods, integrating a Log Analytics workspace can significantly extend the retention period.

In this article, you will learn how to extend the retention period of Entra ID sign-in logs, the benefits of doing so, and how to effectively use Log Analytics to analyze your logs.

Why Keep Sign-In Logs for Longer?

Extended retention of sign-in logs offers numerous advantages:

  • Ensure Compliance: Meet regulatory requirements by retaining sign-in logs for longer periods.

  • Extend Security Analysis: Investigate security incidents beyond the standard 30-day window.

  • Forensic Investigations: Track and analyze attacks, such as ransomware attacks, over longer periods.

  • Better Insights: Identify long-term trends and suspicious patterns in user behavior.

What Data Can Be Stored in a Log Analytics Workspace?

A Log Analytics workspace enables the storage and analysis of various types of log data:

  • Sign-In Logs: All user logins with detailed information.

  • Audit Logs: Records of changes to resources in Azure.

  • Activity Logs: Operations and actions in your environment.

  • Security Logs: Potential threats and vulnerabilities.

  • Custom Logs: Data from applications and services that you configure manually.

Centralizing this data in a Log Analytics workspace provides you with full control and advanced analytics capabilities.

How to Set Up Extended Storage

Step 1: Book an Azure Subscription

  1. Log in to the Azure Portal.

  2. Go to Subscriptions and click + Add.

  3. Select the appropriate subscription type and complete the booking.

Step 2: Create a Log Analytics Workspace

  1. Search for Log Analytics Workspaces in the Azure Portal.

  2. Click + Create and enter the following details:

    • Subscription and Resource Group

    • Workspace Name (e.g., EntraIDLogs)

    • Region

  3. Confirm with Create.

Note: Always follow the Cloud Adoption Framework when managing your subscriptions. This includes using appropriate naming conventions and ensuring a maximally flexible and modern cloud infrastructure.

Step 3: Send Sign-In Logs to Log Analytics

  1. Navigate to Entra ID > Monitoring > Diagnostic Settings.

  2. Add a new diagnostic setting and configure:

    • Log Categories: Select Sign-In Logs.

    • Target: Choose Log Analytics Workspace.

  3. Save your settings.

By following these steps, you can extend the retention period for your sign-in logs and take advantage of advanced analytics for enhanced security and compliance.

Entra IDSign IN Logs.

Workbooks: Visual Analysis Made Easy

After setup, you can use Workbooks to perform detailed and visual evaluations of the sign-in logs. The Workbook published by Christopher Brumm includes both interactive and non-interactive logins. This allows for an even better analysis and prediction of the impact of Conditional Access policies, as it also includes token renewals.

You can find Christopher Brumm's Workbook here: crmhh/CAWorkbooks.

Worbook.

Data Queries with KQL: The Language of Analysis

The Kusto Query Language (KQL) allows you to analyze the data stored in Log Analytics with precision:

  • Search: Apply complex filters and conditions.

  • Create Reports: Aggregate and visualize data.

  • Identify Patterns: Efficiently detect anomalies and trends.

KQL is essential for in-depth analyses and the creation of powerful reports.

Advantages of Integrating a Log Analytics Workspace

  • Custom Retention: Ensure compliance with tailored retention periods.

  • Advanced Search Options: Efficiently search data using KQL.

  • Optimized Costs: Pay based on usage.

  • Security Overview: Comprehensive control over your environment.

Conclusion

Integrating a Log Analytics workspace into Entra ID improves your organization’s security and compliance. With extended retention periods, Workbooks, and KQL, you gain comprehensive analysis capabilities to better secure your organization.