Entra ID: How to Retain Sign in logs in Entra beyond 30 days

Key insights

• Default Retention: Microsoft Entra ID retains sign-in logs for 30 days by default. To extend this period, integrate with Azure services like Azure Monitor and Log Analytics Workspace.


• Options for Extending Retention:
  • Azure Monitor: Configure Entra ID to send logs to an Azure Log Analytics workspace for advanced querying with Kusto Query Language (KQL) and alerts setup.
  • Azure Storage Account: Route logs for long-term archival; however, data is stored in JSON format and requires additional tools for analysis.
  • SIEM Integration: Use Azure Event Hubs to stream logs to third-party SIEM tools for real-time monitoring and threat detection.


• Steps to Configure Retention: Create a Log Analytics Workspace in the Azure portal, configure diagnostic settings in Entra ID, and set retention policies up to 730 days.


• Importance of Extended Retention: Longer retention is crucial for investigating delayed or slow-burning attacks, ensuring compliance, and gaining holistic visibility into user activities.


• KQL Queries for Advanced Analysis: Use Kusto Query Language (KQL) in Log Analytics Workspace to perform detailed searches beyond the default retention period, helping create custom alerts and refine security insights.


• Monitoring Costs: Utilize pay-as-you-go pricing models with the Azure Pricing Calculator to estimate costs based on log ingestion rates. Consider Microsoft Sentinel for robust SIEM capabilities if needed.

Introduction to Extended Log Retention in Entra

In the ever-evolving landscape of cybersecurity, retaining audit and sign-in logs for extended periods is crucial. Nick Ross, a Microsoft MVP, has released a YouTube video explaining how to retain sign-in logs in Microsoft Entra beyond the default 30 days. This video is particularly useful for Managed Service Providers (MSPs) and organizations that need to meet compliance requirements and ensure a comprehensive security posture.

Understanding Default Entra Log Retention

By default, Microsoft Entra ID retains sign-in logs for a limited period. For Entra ID Free, logs are kept for only 7 days, while Entra P1/P2 plans extend this to 30 days. Security Signals (P2) offers an additional 60 days for risky sign-in activities. However, these durations may not suffice for thorough security investigations, especially in cases of advanced persistent threats or delayed reporting of vulnerabilities.

Why Longer Log Retention Matters

Extended log retention is essential for several reasons:

• Delayed or Slow-Burning Attacks: Advanced persistent threats can remain dormant for months before activating.
• Reactive Investigations: Security flaws might be discovered long after the actual compromise date, necessitating longer log retention for a thorough review.
• Holistic Visibility: Longer retention provides a comprehensive view of user activities, sign-in patterns, and security policy changes.
• Compliance: Certain industries require data retention beyond the default periods to meet regulatory standards.

Options for Extending Sign-In Log Retention

Nick Ross outlines several methods to extend log retention in Entra:

• Azure Monitor with Log Analytics Workspace: Configure Entra ID to send logs to an Azure Log Analytics workspace. This allows advanced querying using Kusto Query Language (KQL), visualization creation, and alert setup. Data can be retained for up to 730 days.
• Azure Storage Account: Route logs to an Azure Storage account for long-term archival. This cost-effective solution is ideal for compliance but requires additional steps for data analysis.
• Integration with SIEM Tools via Azure Event Hubs: Stream logs to Azure Event Hubs, which can forward data to third-party Security Information and Event Management (SIEM) tools, facilitating real-time monitoring and threat detection.

Steps to Configure Log Retention Using Azure Monitor

Nick Ross provides a step-by-step guide to configuring log retention:

• Create a Log Analytics Workspace: In the Azure portal, create a new workspace under "Log Analytics Workspaces."
• Configure Diagnostic Settings in Entra ID: Navigate to the Microsoft Entra admin center, go to Identity > Monitoring & health > Diagnostic settings, and add a new diagnostic setting. Select "SignInLogs" as the log category and direct the logs to the Log Analytics workspace.
• Set Retention Policies: Within the Log Analytics workspace, adjust data retention settings to specify how long logs should be retained, up to 730 days.

Monitoring and Estimating Costs

Cost management is a critical aspect of log retention. Pay-as-you-go pricing primarily charges for data ingestion and retention beyond 31 days. For small or midsize businesses, costs may be minimal. To manage expenses:

• Review the Usage and estimated costs page in your Log Analytics Workspace to monitor data ingestion rates.
• Use the Azure Pricing Calculator to estimate monthly costs based on anticipated log ingestion and retention settings.
• Set up Azure cost alerts to get notified of unexpected usage spikes.

Pro Tips: Querying Logs with KQL

Once logs are flowing into Log Analytics, Kusto Query Language (KQL) can be used for advanced searches. For instance:

• Filter by user, device, IP address, or activity type.
• Extend queries beyond the default 30 days to the full retention period configured.
• Create custom alerts for critical actions, such as modifications to conditional access policies or mass account lockouts.

Final Thoughts

Short retention periods can leave organizations vulnerable to security incidents. By exporting Entra audit and sign-in logs to a Log Analytics Workspace, retention can be extended up to two years. This extension aids in investigating incidents, meeting compliance needs, and gaining deeper visibility into the environment. Organizations using third-party SIEM tools can still benefit from Microsoft's integrated solution, offering a cost-effective path to longer data retention and robust log analysis.

Keywords

Entra sign-in logs retention extend beyond 30 days Entra log management increase log duration Entra keep logs longer Entra audit trail.