Skip to main content

The Incident Was 90 Days Ago. Your Entra Logs Only Go Back 30.

Nick Ross4 min read

TL;DR

  • Entra ID Free retains audit and sign-in logs for 7 days, and Entra P1/P2 for 30 days, with P2 adding 60 extra days of risky sign-in signals.
  • Exporting Entra logs to an Azure Log Analytics Workspace extends retention to as much as two years.
  • Small and midsize tenants typically pay only cents to a few dollars per month, since roughly 500,000 sign-in logs equal about 1 GB of ingestion.
  • The MFA AuthQuake flaw showed why retention matters: by the time the vulnerability was public, the relevant logs in a 30-day tenant were already gone.
  • Once logs land in Log Analytics, KQL queries and custom alert rules give you faster, deeper investigation than the Entra admin center allows.

Security investigations have a habit of starting late. A vulnerability gets disclosed months after exploitation began, a client reports something suspicious from last quarter, an insurer asks for evidence covering a window that closed weeks ago. The default retention for Entra (formerly Azure AD) logs was not built for any of that. The fix is a Log Analytics Workspace in Azure, it takes an afternoon, and for most tenants it costs almost nothing. Here is the full walkthrough.

How short is the default window?

  • Entra ID Free: audit and sign-in logs are retained for 7 days. The bare minimum, and rarely enough for a meaningful investigation.
  • Entra P1/P2: 30 days by default.
  • Security signals (P2): an additional 60 days of risky sign-in activity.

Reference: Microsoft Entra data retention (opens in new tab)

Thirty days or less proves insufficient the moment you need to look further back, which is precisely the pattern with advanced persistent threats and delayed vulnerability disclosures.

AuthQuake: when 30 days was not enough

The MFA AuthQuake flaw (opens in new tab), reported and patched by Microsoft, let attackers brute force time-based one-time password (TOTP) codes by exploiting a flaw that gave them extra time to guess. In one real-world case, a tenant administrator wanted to investigate potential compromise, but the reported incident predated the 30-day retention window. Without extended logs, a deeper investigation simply was not possible.

That is the pattern to internalize: threats and vulnerabilities often come to light months after they occurred, and the investigation is only as good as the log data that survived.

Beyond that scenario, longer retention earns its keep four ways:

  1. Slow-burning attacks. APTs can lie dormant for weeks or months before acting.
  2. Reactive investigations. Flaws get discovered long after the compromise date.
  3. Holistic visibility. A longer window paints a fuller picture of user activity, sign-in patterns, and changes to security policies or group membership.
  4. Compliance. Depending on the industry, regulations may require retention beyond the defaults.

Setting up the two-year archive

Microsoft's first-party answer is an Azure Log Analytics Workspace. The high-level process:

  1. Set up an Azure subscription. You need at least one active subscription; a free trial works to start.
  2. Create a Log Analytics Workspace. In the Azure Portal, create a resource group (or reuse one), then build the workspace:
    • Give it a name (for example "EntraLogsDemo") and pick a region.
    • Choose a pricing tier; pay-as-you-go is common for smaller tenants.
  3. Configure diagnostic settings. In the Entra admin center, navigate to Monitoring & Health > Audit Logs or Sign-In Logs > Export Data Settings > Add Diagnostic Setting:
    • Select the logs to export (for example "AuditLogs" and "SignInLogs").
    • Choose the Log Analytics Workspace as the destination.
  4. Adjust data retention. Back in the Azure Portal, open the workspace, then Usage and estimated costs > Data retention:
    • Increase retention to 6 months, 1 year, or up to 2 years.
    • Optionally configure a daily cap to limit ingress charges.
  5. Set archiving policies (optional). Fine-tune per table, for example keeping sign-in logs hot for 90 days and archived for the remaining duration.

What this costs

Pay-as-you-go pricing charges primarily for data ingestion per gigabyte and for retention beyond 31 days. For small and midsize businesses, log volumes are usually low enough that the bill is negligible, often a few cents to a few dollars per month. As a sizing anchor: roughly 500,000 sign-in logs come to about 1 GB, and most businesses are nowhere near that.

To keep it predictable:

  1. Usage and estimated costs. The workspace's own page shows real-time ingestion rates.
  2. Azure Pricing Calculator. Use the calculator (opens in new tab) to estimate monthly costs from anticipated ingestion and retention.
  3. Cost alerts. Configure Azure cost alerts at the resource group or workspace level to catch unexpected spikes.

The payoff: KQL instead of portal scrolling

Once logs flow into Log Analytics, Kusto Query Language (KQL) gives you faster and more advanced searches than the Entra admin center allows. For example:

text
AuditLogs
| where ActivityDisplayName == "Update policy"
| order by TimeGenerated desc

From there:

  • Advanced filtering by user, device, IP address, or activity type
  • Time ranges that extend past the old 30-day wall to your full configured retention
  • Alert rules for critical actions, such as modifications to Conditional Access policies or mass account lockouts

Many customers also use Azure OpenAI or Copilot to help build and refine KQL queries, which lowers the barrier considerably if KQL is new to you.

Log Analytics or Sentinel?

  • Smaller tenants: if the goal is simply extended retention, Log Analytics alone is sufficient.
  • Larger organizations: if you need real SIEM capabilities, advanced threat hunting, and automated playbooks, Microsoft Sentinel is the better fit, with the caveat that it adds licensing costs beyond basic ingestion fees.

And if a third-party SIEM or log management tool (Huntress, Blackpoint, Red Canary) already covers you, Microsoft's built-in path is still worth knowing. It is a cost-effective, integrated route to longer retention and serious log analysis, and short retention is one blind spot no security stack should tolerate.

Frequently asked questions

Do we still need this if a third-party SIEM like Huntress, Blackpoint, or Red Canary already ingests our logs?

It is still worth knowing. Microsoft's built-in path is a cost-effective, integrated option for longer retention and log analysis, and it gives you a first-party copy of the evidence independent of any vendor relationship.

When does Microsoft Sentinel make more sense than plain Log Analytics?

When you need full SIEM capabilities: advanced threat hunting, automated playbooks, and correlation across sources. For small or budget-constrained tenants that simply need extended log retention, Log Analytics alone is sufficient and avoids Sentinel's additional licensing costs.

Can different log types have different retention periods?

Yes. Archiving policies can be tuned per table, for example keeping sign-in logs hot and searchable for 90 days, then archived for the remainder of your configured retention.

Retention is a control. Controls drift.

Log export is exactly the kind of setting that gets configured once and silently broken later. CloudCapsule checks 250+ controls per tenant in 60 seconds, so the evidence trail is there before the incident, not after.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading