If you have an Azure subscription with a Log Analytics workspace created and at least Azure AD Premium P1, you can send Azure Active Directory activity log data to Azure Monitor easily by following these steps:
- From the Azure portal (https://portal.azure.com), navigate to Azure Active Directory.
- Under Monitoring, select Diagnostic settings and then click + Add diagnostic setting:
Figure 2.15 – Configuring Azure AD diagnostic settings
3. Under Logs, select one or more categories of logs to send to the workspace.
4. Under Destination details, check the Send to Log Analytics workspace checkbox and then select an Azure Subscription and Log Analytics workspace. Click Save when you have finished selecting these options:
Figure 2.16 – Selecting diagnostics settings for Azure Monitor
After about 15 minutes, new logging event data should begin showing up in the Log Analytics workspace.
Configuring and reviewing reports
With reporting data now flowing into Azure Monitor and Log Analytics, you can review auditing and logging data to gain insights into how your tenant and directory services are being used.
To review this data, you’ll need to have access to the Log Analytics workspace where Azure Monitor is sending data, as well as one of the following roles:
- Global Admin
- Reports Reader
- Security Admin
- Security Reader
With that, let’s start looking at logs!
Azure AD logs and reports
Azure AD provides several default reports that can be used to identify issues quickly. The core reports are the Audit, Sign-in, and Provisioning logs.
Audit log data can be held for up to 10 years, depending on the license:
- Office 365 E1 or E3; Microsoft 365 F1 or E3: 90 days
- Office 365 E5; Microsoft 365 E5: 1 year
- Audit Premium: 10 years
Advanced licensing
For more information on the variety of SKU mixes for audit retention, see https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-solutions-overview?source=recommendations&view=o365-worldwide.
Accessing the audit log data does not require specific licensing, though you will only see audit events for products that you have currently licensed.