LOG-02: Export Logs to Long-Term Storage

Overview

This guide walks you through exporting Microsoft Entra ID sign-in logs and audit logs to external systems for long-term retention, advanced analysis, and SIEM integration. By streaming logs to Azure Log Analytics or third-party SIEMs, you enable real-time security monitoring and correlation with other security data.

Control ID: LOG-02 Category: Logging Severity: Info License Required: Microsoft Entra ID P1/P2 (for diagnostic settings export)

Why This Matters

Exporting sign-in logs to external systems provides:

  • Extended retention - Keep logs beyond Microsoft 365's native limits
  • Advanced analytics - Use Kusto queries, machine learning, and custom dashboards
  • SIEM integration - Correlate identity events with network, endpoint, and application logs
  • Compliance - Meet regulatory requirements for log storage and accessibility
  • Real-time alerting - Create custom alerts based on sign-in patterns

Prerequisites

Required Roles

You need the following roles:

  • Security Administrator or Global Administrator (for Entra ID diagnostic settings)
  • Contributor on the Azure subscription (for Log Analytics workspace)
  • Log Analytics Contributor (for workspace configuration)

Required Licenses

FeatureLicense Required
Sign-in log exportMicrosoft Entra ID P1 or P2
Audit log exportMicrosoft Entra ID P1 or P2
Risky sign-ins exportMicrosoft Entra ID P2
Identity Protection logsMicrosoft Entra ID P2

Azure Resources Required

  • Azure subscription
  • Log Analytics workspace (or Event Hub for SIEM streaming)
  • Storage account (optional, for archival)

Time Estimate

TaskDuration
Create Log Analytics workspace10 minutes
Configure diagnostic settings15 minutes
Verify log flow30 minutes (wait for data)
Create basic queries/alerts30 minutes
Total1.5-2 hours

Step-by-Step Instructions

Step 1: Create a Log Analytics Workspace

If you don't have an existing workspace:

  1. Sign in to the Azure portal
  2. Search for Log Analytics workspaces
  3. Click + Create
  4. Configure the workspace:
    • Subscription: Select your subscription
    • Resource group: Create new or select existing
    • Name: law-security-logs (or your naming convention)
    • Region: Select the region closest to your users
  5. Click Review + create > Create

Configure Workspace Retention

  1. Once created, open the workspace
  2. Navigate to Settings > Usage and estimated costs
  3. Click Data retention
  4. Set retention to your required period (90 days to 730 days)
  5. Click OK

Step 2: Configure Entra ID Diagnostic Settings

  1. Navigate to Microsoft Entra admin center
  2. Go to Identity > Monitoring & health > Diagnostic settings
  3. Click + Add diagnostic setting

Configure Log Categories

  1. Diagnostic setting name: EntraID-to-LogAnalytics
  2. Under Logs, select the following categories:
CategoryDescriptionRecommended
AuditLogsAdministrative and configuration changesYes
SignInLogsInteractive user sign-insYes
NonInteractiveUserSignInLogsApp and service sign-insYes
ServicePrincipalSignInLogsApplication authenticationYes
ManagedIdentitySignInLogsManaged identity authenticationYes
ProvisioningLogsUser provisioning eventsOptional
ADFSSignInLogsFederated sign-ins (if using ADFS)If applicable
RiskyUsersUsers flagged as riskyYes (P2)
UserRiskEventsRisk detection eventsYes (P2)
RiskyServicePrincipalsRisky app identitiesYes (P2)
ServicePrincipalRiskEventsApp risk eventsYes (P2)

Configure Destination

  1. Under Destination details, check Send to Log Analytics workspace
  2. Select your subscription and workspace
  3. Click Save

Step 3: Alternative - Stream to Event Hub (for SIEM)

If using a third-party SIEM (Splunk, Sentinel, etc.):

  1. Navigate to Diagnostic settings as above
  2. Click + Add diagnostic setting
  3. Select your log categories
  4. Check Stream to an event hub
  5. Configure Event Hub:
    • Subscription: Your subscription
    • Event hub namespace: Create or select existing
    • Event hub name: entra-logs (or leave blank for auto-create)
    • Event hub policy name: RootManageSharedAccessKey
  6. Click Save

Configure SIEM Connection

For Splunk:

# Install Splunk Add-on for Microsoft Cloud Services
# Configure Azure Event Hub input with connection string

For Microsoft Sentinel:

  1. Sentinel automatically ingests from Log Analytics
  2. Enable the Microsoft Entra ID data connector

Step 4: Verify Log Flow

Wait 15-30 minutes, then verify logs are flowing:

  1. Navigate to your Log Analytics workspace
  2. Go to Logs
  3. Run the following query:
// Check for sign-in logs
SigninLogs
| take 10
| project TimeGenerated, UserPrincipalName, AppDisplayName, ResultType, IPAddress
  1. Run additional verification queries:
// Check for audit logs
AuditLogs
| take 10
| project TimeGenerated, OperationName, Result, InitiatedBy

// Check for risky sign-ins (P2 only)
AADRiskyUsers
| take 10

Step 5: Create Essential Queries

Save these queries for ongoing monitoring:

Failed Sign-In Attempts (Last 24 Hours)

SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType != 0
| summarize FailureCount = count() by UserPrincipalName, ResultDescription, IPAddress
| order by FailureCount desc
| take 50

Sign-Ins from New Countries

SigninLogs
| where TimeGenerated > ago(7d)
| summarize Countries = make_set(Location) by UserPrincipalName
| where array_length(Countries) > 1

High-Risk Sign-Ins

SigninLogs
| where RiskLevelDuringSignIn in ("high", "medium")
| project TimeGenerated, UserPrincipalName, RiskLevelDuringSignIn, IPAddress, Location
| order by TimeGenerated desc

Privileged Role Activations

AuditLogs
| where OperationName has "Add member to role"
| extend RoleName = tostring(TargetResources[0].displayName)
| extend User = tostring(TargetResources[0].userPrincipalName)
| project TimeGenerated, RoleName, User, InitiatedBy

Step 6: Create Alerts

Set up alerts for critical security events:

Alert: Multiple Failed Sign-Ins

  1. In Log Analytics, click Alerts > + New alert rule
  2. Under Condition, click Add condition
  3. Select Custom log search
  4. Enter query:
SigninLogs
| where ResultType != 0
| summarize FailureCount = count() by UserPrincipalName, bin(TimeGenerated, 1h)
| where FailureCount > 10
  1. Configure alert logic:
    • Based on: Number of results
    • Operator: Greater than
    • Threshold: 0
    • Frequency: Every 5 minutes
    • Period: Last 1 hour
  2. Configure action group for notifications
  3. Click Create

Alert: Sign-In from Unusual Location

SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| where Location !in ("US", "CA", "GB") // Add your expected countries
| project TimeGenerated, UserPrincipalName, Location, IPAddress

Alert: Privileged Role Assignment

AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName == "Add member to role"
| where TargetResources[0].displayName has_any ("Global Administrator", "Privileged Role Administrator", "Security Administrator")

Step 7: Export to Storage Account (Archival)

For compliance archival beyond Log Analytics retention:

  1. Navigate to Diagnostic settings
  2. Edit existing or create new setting
  3. Check Archive to a storage account
  4. Select or create a storage account
  5. Configure retention in days (0 = indefinite)
  6. Click Save

Verification Checklist

After configuring sign-in log export:

  • Log Analytics workspace is created and configured
  • Diagnostic settings are enabled for all required log categories
  • Sign-in logs are appearing in Log Analytics (verify with query)
  • Audit logs are appearing in Log Analytics
  • Risky sign-in logs are flowing (if P2 licensed)
  • Retention period is configured appropriately
  • Essential queries are saved and working
  • Critical alerts are configured and tested
  • SIEM integration is verified (if applicable)
  • Storage archival is configured (if required)

Troubleshooting

Issue: No Logs Appearing in Log Analytics

Cause: Diagnostic settings may not be active or there's a delay.

Solution:

  1. Wait at least 30 minutes after configuration
  2. Verify diagnostic setting shows as Enabled
  3. Check that the correct Log Analytics workspace is selected
  4. Ensure the workspace is in a supported region
  5. Verify you have the required licenses

Issue: Missing Log Categories

Cause: Some log categories require specific licenses.

Solution:

  1. RiskyUsers and UserRiskEvents require P2 licenses
  2. Ensure P1/P2 licenses are assigned to users
  3. Some categories only appear after specific activities occur

Issue: "Insufficient permissions" Error

Cause: Missing RBAC roles.

Solution:

  1. Verify you have Security Administrator or Global Administrator in Entra ID
  2. Verify you have Contributor on the Azure subscription
  3. If using managed identity, ensure it has Log Analytics Contributor role

Issue: High Data Ingestion Costs

Cause: Large tenant generating significant log volume.

Solution:

  1. Review pricing tier of Log Analytics workspace
  2. Consider commitment tier pricing for predictable costs
  3. Create data collection rules to filter unnecessary logs
  4. Archive older data to cheaper storage

Issue: Query Returns No Results

Cause: Table name or query syntax error.

Solution:

  1. Verify table exists: Run SigninLogs | take 1
  2. Check spelling of table names (case-sensitive)
  3. Ensure time range includes data: Use | where TimeGenerated > ago(7d)
  4. Run simpler query first, then add filters

Cost Considerations

Azure Log Analytics Pricing

ComponentApproximate Cost
Data ingestion~$2.76/GB (Pay-as-you-go)
Data retention (first 31 days)Free
Data retention (32-730 days)~$0.10/GB/month
Commitment tiers100GB/day: ~$2.30/GB

Estimating Log Volume

Tenant SizeEstimated Daily Volume
Small (< 500 users)1-5 GB/day
Medium (500-5,000 users)5-20 GB/day
Large (5,000-50,000 users)20-100 GB/day
Enterprise (50,000+ users)100+ GB/day

Cost Optimization Tips

  1. Use commitment tiers for predictable costs at scale
  2. Archive to storage for logs >90 days (cheaper than Log Analytics retention)
  3. Filter unnecessary logs using data collection rules
  4. Set appropriate retention - don't retain longer than required

Related Controls

  • LOG-01: Audit Log Retention - Native Microsoft 365 retention
  • LOG-03: Security Alerts - Configure Microsoft 365 Defender alerts
  • LOG-04: Privileged Operation Alerts - Alert on admin actions
  • LOG-05: Anomaly Detection - Enable Identity Protection

Additional Resources