# Azure AD Logs shall be collected
## Description
Azure AD logs should be a collected and periodically reviewed to detect any anomalies. Log information should be centralized in a SIEM tool, like Microsoft Sentinel, so that it can be audited and queried. Audit logs should be retained in a storage account for a minimum of 90 days.
Log events that can be collected are as follows: AuditLogs, SignInLogs, RiskyUsers, UserRiskEvents, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, ADFSSignInLogs, RiskyServicePrincipals, and ServicePrincipalRiskEvents.
## Policy
* Azure AD Log data is sent to a SIEM and/or external storage
* Log data is periodically reviewed.
* Log data is sent to an internal or external SOC for monitoring
## Licensing Considerations
To retain Azure AD log data more than 7 days, an Azure AD P1 License is required. This license retains data for 30 days and is available to purchase standalone or as part of the following bundles:
* Microsoft 365 Business Premium
* EMS+ E3 or EMS + E5
* Microsoft 365 E3
* Microsoft 365 E5
## Set Up Instructions
Analyzing Sign-Ins [Analyze sign-ins with the Azure AD sign-ins log - Microsoft Entra | Microsoft Learn](https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/quickstart-analyze-sign-in)
Route logs to a storage account: [Tutorial - Archive directory logs to a storage account - Microsoft Entra | Microsoft Learn](https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account)
Everything you want to know about Security and Audit logging in Office 365 [Everything you wanted to know about Security and Audit Logging in Office 365 | The Cloud Technologist](https://thecloudtechnologist.com/2021/10/15/everything-you-wanted-to-know-about-security-and-audit-logging-in-office-365/)
Sign In logs in Azure AD: [Sign-in logs (preview) in Azure Active Directory - Microsoft Entra | Microsoft Learn](https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins)
Connect AD data to Microsoft Sentinel: [Connect Azure Active Directory data to Microsoft Sentinel | Microsoft Learn](https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory)
## End-User Impact
{% hint style="info" %}
Level: None
{% endhint %}
There is no end user impact to review and collect Azure AD logs.
{% hint style="info" %}
Tips
None Currently
{% endhint %}
## PowerShell Scripts
[Documenting with PowerShell: Downloading and storing the Office 365 Audit logs (With search!) (cyberdrain.com)](https://www.cyberdrain.com/documenting-with-powershell-downloading-and-storing-the-office-365-audit-logs-with-search/)
[Automating with PowerShell: Storing Office 365 audit logs longer than 90 days (cyberdrain.com)](https://www.cyberdrain.com/automating-with-powershell-storing-office-365-audit-logs-longer-than-90-days/)
[Monitoring with PowerShell: Monitoring failed logins for Office365 (cyberdrain.com)](https://www.cyberdrain.com/monitoring-with-powershell-monitoring-failed-logins-for-office365/)
[Azure AD PowerShell cmdlets for reporting - Microsoft Entra | Microsoft Learn](https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-powershell-reporting)
## Videos
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.tminus365.com/security/azure-ad-entra/azure-ad-logs-shall-be-collected.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.