Azure AD Logs shall be collected

Description

Azure AD logs should be a collected and periodically reviewed to detect any anomalies. Log information should be centralized in a SIEM tool, like Microsoft Sentinel, so that it can be audited and queried. Audit logs should be retained in a storage account for a minimum of 90 days.

Log events that can be collected are as follows: AuditLogs, SignInLogs, RiskyUsers, UserRiskEvents, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, ADFSSignInLogs, RiskyServicePrincipals, and ServicePrincipalRiskEvents.

Policy

  • Azure AD Log data is sent to a SIEM and/or external storage

  • Log data is periodically reviewed.

  • Log data is sent to an internal or external SOC for monitoring

Licensing Considerations

To retain Azure AD log data more than 7 days, an Azure AD P1 License is required. This license retains data for 30 days and is available to purchase standalone or as part of the following bundles:

  • Microsoft 365 Business Premium

  • EMS+ E3 or EMS + E5

  • Microsoft 365 E3

  • Microsoft 365 E5

Set Up Instructions

Analyzing Sign-Ins Analyze sign-ins with the Azure AD sign-ins log - Microsoft Entra | Microsoft Learn

Route logs to a storage account: Tutorial - Archive directory logs to a storage account - Microsoft Entra | Microsoft Learn

Everything you want to know about Security and Audit logging in Office 365 Everything you wanted to know about Security and Audit Logging in Office 365 | The Cloud Technologist

Sign In logs in Azure AD: Sign-in logs (preview) in Azure Active Directory - Microsoft Entra | Microsoft Learn

Connect AD data to Microsoft Sentinel: Connect Azure Active Directory data to Microsoft Sentinel | Microsoft Learn

End-User Impact

Level: None

There is no end user impact to review and collect Azure AD logs.

Tips

None Currently

PowerShell Scripts

Documenting with PowerShell: Downloading and storing the Office 365 Audit logs (With search!) (cyberdrain.com)

Automating with PowerShell: Storing Office 365 audit logs longer than 90 days (cyberdrain.com)

Monitoring with PowerShell: Monitoring failed logins for Office365 (cyberdrain.com)

Azure AD PowerShell cmdlets for reporting - Microsoft Entra | Microsoft Learn

Videos

PreviousPasswords shall not expireNextOnly Admins shall be allowed to register 3rd party applications

Last updated