LOG-02: Export Logs to Long-Term Storage
Overview
This guide walks you through exporting Microsoft Entra ID sign-in logs and audit logs to external systems for long-term retention, advanced analysis, and SIEM integration. By streaming logs to Azure Log Analytics or third-party SIEMs, you enable real-time security monitoring and correlation with other security data.
Control ID: LOG-02 Category: Logging Severity: Info License Required: Microsoft Entra ID P1/P2 (for diagnostic settings export)
Why This Matters
Exporting sign-in logs to external systems provides:
- Extended retention - Keep logs beyond Microsoft 365's native limits
- Advanced analytics - Use Kusto queries, machine learning, and custom dashboards
- SIEM integration - Correlate identity events with network, endpoint, and application logs
- Compliance - Meet regulatory requirements for log storage and accessibility
- Real-time alerting - Create custom alerts based on sign-in patterns
Prerequisites
Required Roles
You need the following roles:
- Security Administrator or Global Administrator (for Entra ID diagnostic settings)
- Contributor on the Azure subscription (for Log Analytics workspace)
- Log Analytics Contributor (for workspace configuration)
Required Licenses
| Feature | License Required |
|---|---|
| Sign-in log export | Microsoft Entra ID P1 or P2 |
| Audit log export | Microsoft Entra ID P1 or P2 |
| Risky sign-ins export | Microsoft Entra ID P2 |
| Identity Protection logs | Microsoft Entra ID P2 |
Azure Resources Required
- Azure subscription
- Log Analytics workspace (or Event Hub for SIEM streaming)
- Storage account (optional, for archival)
Time Estimate
| Task | Duration |
|---|---|
| Create Log Analytics workspace | 10 minutes |
| Configure diagnostic settings | 15 minutes |
| Verify log flow | 30 minutes (wait for data) |
| Create basic queries/alerts | 30 minutes |
| Total | 1.5-2 hours |
Step-by-Step Instructions
Step 1: Create a Log Analytics Workspace
If you don't have an existing workspace:
- Sign in to the Azure portal
- Search for Log Analytics workspaces
- Click + Create
- Configure the workspace:
- Subscription: Select your subscription
- Resource group: Create new or select existing
- Name:
law-security-logs(or your naming convention) - Region: Select the region closest to your users
- Click Review + create > Create
Configure Workspace Retention
- Once created, open the workspace
- Navigate to Settings > Usage and estimated costs
- Click Data retention
- Set retention to your required period (90 days to 730 days)
- Click OK
Step 2: Configure Entra ID Diagnostic Settings
- Navigate to Microsoft Entra admin center
- Go to Identity > Monitoring & health > Diagnostic settings
- Click + Add diagnostic setting
Configure Log Categories
- Diagnostic setting name:
EntraID-to-LogAnalytics - Under Logs, select the following categories:
| Category | Description | Recommended |
|---|---|---|
| AuditLogs | Administrative and configuration changes | Yes |
| SignInLogs | Interactive user sign-ins | Yes |
| NonInteractiveUserSignInLogs | App and service sign-ins | Yes |
| ServicePrincipalSignInLogs | Application authentication | Yes |
| ManagedIdentitySignInLogs | Managed identity authentication | Yes |
| ProvisioningLogs | User provisioning events | Optional |
| ADFSSignInLogs | Federated sign-ins (if using ADFS) | If applicable |
| RiskyUsers | Users flagged as risky | Yes (P2) |
| UserRiskEvents | Risk detection events | Yes (P2) |
| RiskyServicePrincipals | Risky app identities | Yes (P2) |
| ServicePrincipalRiskEvents | App risk events | Yes (P2) |
Configure Destination
- Under Destination details, check Send to Log Analytics workspace
- Select your subscription and workspace
- Click Save
Step 3: Alternative - Stream to Event Hub (for SIEM)
If using a third-party SIEM (Splunk, Sentinel, etc.):
- Navigate to Diagnostic settings as above
- Click + Add diagnostic setting
- Select your log categories
- Check Stream to an event hub
- Configure Event Hub:
- Subscription: Your subscription
- Event hub namespace: Create or select existing
- Event hub name:
entra-logs(or leave blank for auto-create) - Event hub policy name:
RootManageSharedAccessKey
- Click Save
Configure SIEM Connection
For Splunk:
# Install Splunk Add-on for Microsoft Cloud Services
# Configure Azure Event Hub input with connection string
For Microsoft Sentinel:
- Sentinel automatically ingests from Log Analytics
- Enable the Microsoft Entra ID data connector
Step 4: Verify Log Flow
Wait 15-30 minutes, then verify logs are flowing:
- Navigate to your Log Analytics workspace
- Go to Logs
- Run the following query:
// Check for sign-in logs
SigninLogs
| take 10
| project TimeGenerated, UserPrincipalName, AppDisplayName, ResultType, IPAddress
- Run additional verification queries:
// Check for audit logs
AuditLogs
| take 10
| project TimeGenerated, OperationName, Result, InitiatedBy
// Check for risky sign-ins (P2 only)
AADRiskyUsers
| take 10
Step 5: Create Essential Queries
Save these queries for ongoing monitoring:
Failed Sign-In Attempts (Last 24 Hours)
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType != 0
| summarize FailureCount = count() by UserPrincipalName, ResultDescription, IPAddress
| order by FailureCount desc
| take 50
Sign-Ins from New Countries
SigninLogs
| where TimeGenerated > ago(7d)
| summarize Countries = make_set(Location) by UserPrincipalName
| where array_length(Countries) > 1
High-Risk Sign-Ins
SigninLogs
| where RiskLevelDuringSignIn in ("high", "medium")
| project TimeGenerated, UserPrincipalName, RiskLevelDuringSignIn, IPAddress, Location
| order by TimeGenerated desc
Privileged Role Activations
AuditLogs
| where OperationName has "Add member to role"
| extend RoleName = tostring(TargetResources[0].displayName)
| extend User = tostring(TargetResources[0].userPrincipalName)
| project TimeGenerated, RoleName, User, InitiatedBy
Step 6: Create Alerts
Set up alerts for critical security events:
Alert: Multiple Failed Sign-Ins
- In Log Analytics, click Alerts > + New alert rule
- Under Condition, click Add condition
- Select Custom log search
- Enter query:
SigninLogs
| where ResultType != 0
| summarize FailureCount = count() by UserPrincipalName, bin(TimeGenerated, 1h)
| where FailureCount > 10
- Configure alert logic:
- Based on: Number of results
- Operator: Greater than
- Threshold: 0
- Frequency: Every 5 minutes
- Period: Last 1 hour
- Configure action group for notifications
- Click Create
Alert: Sign-In from Unusual Location
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| where Location !in ("US", "CA", "GB") // Add your expected countries
| project TimeGenerated, UserPrincipalName, Location, IPAddress
Alert: Privileged Role Assignment
AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName == "Add member to role"
| where TargetResources[0].displayName has_any ("Global Administrator", "Privileged Role Administrator", "Security Administrator")
Step 7: Export to Storage Account (Archival)
For compliance archival beyond Log Analytics retention:
- Navigate to Diagnostic settings
- Edit existing or create new setting
- Check Archive to a storage account
- Select or create a storage account
- Configure retention in days (0 = indefinite)
- Click Save
Verification Checklist
After configuring sign-in log export:
- Log Analytics workspace is created and configured
- Diagnostic settings are enabled for all required log categories
- Sign-in logs are appearing in Log Analytics (verify with query)
- Audit logs are appearing in Log Analytics
- Risky sign-in logs are flowing (if P2 licensed)
- Retention period is configured appropriately
- Essential queries are saved and working
- Critical alerts are configured and tested
- SIEM integration is verified (if applicable)
- Storage archival is configured (if required)
Troubleshooting
Issue: No Logs Appearing in Log Analytics
Cause: Diagnostic settings may not be active or there's a delay.
Solution:
- Wait at least 30 minutes after configuration
- Verify diagnostic setting shows as Enabled
- Check that the correct Log Analytics workspace is selected
- Ensure the workspace is in a supported region
- Verify you have the required licenses
Issue: Missing Log Categories
Cause: Some log categories require specific licenses.
Solution:
- RiskyUsers and UserRiskEvents require P2 licenses
- Ensure P1/P2 licenses are assigned to users
- Some categories only appear after specific activities occur
Issue: "Insufficient permissions" Error
Cause: Missing RBAC roles.
Solution:
- Verify you have Security Administrator or Global Administrator in Entra ID
- Verify you have Contributor on the Azure subscription
- If using managed identity, ensure it has Log Analytics Contributor role
Issue: High Data Ingestion Costs
Cause: Large tenant generating significant log volume.
Solution:
- Review pricing tier of Log Analytics workspace
- Consider commitment tier pricing for predictable costs
- Create data collection rules to filter unnecessary logs
- Archive older data to cheaper storage
Issue: Query Returns No Results
Cause: Table name or query syntax error.
Solution:
- Verify table exists: Run
SigninLogs | take 1 - Check spelling of table names (case-sensitive)
- Ensure time range includes data: Use
| where TimeGenerated > ago(7d) - Run simpler query first, then add filters
Cost Considerations
Azure Log Analytics Pricing
| Component | Approximate Cost |
|---|---|
| Data ingestion | ~$2.76/GB (Pay-as-you-go) |
| Data retention (first 31 days) | Free |
| Data retention (32-730 days) | ~$0.10/GB/month |
| Commitment tiers | 100GB/day: ~$2.30/GB |
Estimating Log Volume
| Tenant Size | Estimated Daily Volume |
|---|---|
| Small (< 500 users) | 1-5 GB/day |
| Medium (500-5,000 users) | 5-20 GB/day |
| Large (5,000-50,000 users) | 20-100 GB/day |
| Enterprise (50,000+ users) | 100+ GB/day |
Cost Optimization Tips
- Use commitment tiers for predictable costs at scale
- Archive to storage for logs >90 days (cheaper than Log Analytics retention)
- Filter unnecessary logs using data collection rules
- Set appropriate retention - don't retain longer than required
Related Controls
- LOG-01: Audit Log Retention - Native Microsoft 365 retention
- LOG-03: Security Alerts - Configure Microsoft 365 Defender alerts
- LOG-04: Privileged Operation Alerts - Alert on admin actions
- LOG-05: Anomaly Detection - Enable Identity Protection