PRACTITIONER GUIDE | IDENTITY SECURITY
Practitioner GuideUpdated 9 min read

Entra ID Sign-In Log Retention: How to Keep Audit Logs Beyond 30 Days for Investigations and Compliance

30 days
Default Entra ID P1/P2 sign-in log retention -- 7 days for free tier
Average 194 days
Average breach detection time -- 164 days after log expiry at default retention
3 destinations
Log Analytics, Event Hub, or Storage Account -- can configure all three simultaneously

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The default 30-day Entra ID log retention is a common source of frustration during security investigations. An analyst investigating a suspicious account compromise receives a report that the account may have been accessed 45 days ago -- and the logs are gone. Extending retention is a straightforward configuration that costs less than most organizations expect, and it is not dependent on having a Microsoft Sentinel license. This guide covers the three export options, when to use each, and the specific configuration steps.

What Logs Can Be Exported and Kept Longer

The Diagnostic Settings configuration exports six Entra ID log categories: SignInLogs (interactive user sign-ins -- the most forensically valuable), NonInteractiveUserSignInLogs (sign-ins using tokens, refresh tokens, FOCI tokens -- critical for token theft investigations), ServicePrincipalSignInLogs (application/service principal authentication -- important for detecting compromised service principals), ManagedIdentitySignInLogs (Azure managed identity authentication), AuditLogs (directory changes: account creation, group modification, role assignments, conditional access policy changes), and ProvisioningLogs (identity sync events). For security purposes, the highest-priority categories are SignInLogs, NonInteractiveUserSignInLogs, and AuditLogs. ServicePrincipalSignInLogs and ManagedIdentitySignInLogs are important for cloud-native environments with significant application authentication. Enable all six if budget allows -- the cost difference is modest.

Option 1: Log Analytics Workspace (90-Day Interactive Retention)

A Log Analytics workspace provides interactive KQL querying of Entra ID logs with configurable retention. This is the best option if you do not have Microsoft Sentinel but want to query sign-in data on-demand for investigations. Setup: in the Azure portal, create a Log Analytics workspace in the same region as your Entra tenant (for lower latency). In the Entra admin center (entra.microsoft.com), navigate to Monitoring > Diagnostic Settings > Add Diagnostic Setting. Select all log categories. Destination: Send to Log Analytics Workspace, select the workspace. Save. After the first events arrive (within minutes), query via Log Analytics: SigninLogs | where TimeGenerated > ago(30d) | where ResultType != 0 | project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, ResultDescription | order by TimeGenerated desc. Retention cost: Log Analytics charges for data ingestion (approximately $2.76 per GB) plus retention beyond the free 31-day tier ($0.12 per GB per month). A medium organization (2,000 users) generates roughly 5-15 GB of Entra ID sign-in logs per month. Budget approximately $15 to $60 per month for 90-day retention.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Option 2: Microsoft Sentinel (SIEM with Detection)

If your organization has Microsoft Sentinel, connecting Entra ID logs is the standard approach. The Microsoft Entra ID connector (under Content Hub > Microsoft Entra ID > Install) ingests SignInLogs, AuditLogs, and all other categories via Diagnostic Settings automatically. Sentinel applies analytics rules to detect anomalies (new country sign-in, impossible travel, MFA spam attacks) in real time. Retention in Sentinel: the default hot retention (interactive query) is 90 days, configurable up to 2 years. The archive tier extends to 7 years at much lower cost ($0.026 per GB per month). For most organizations, 90-day hot retention in Sentinel covers nearly all incident investigation scenarios. The Sentinel connector also enriches sign-in events with threat intelligence and UEBA baseline data, enabling more sophisticated detections than raw Log Analytics queries.

Option 3: Azure Storage Account (Long-Term Compliance Archive)

For organizations with compliance requirements mandating 1-year or longer log retention, Azure Storage provides the cheapest per-GB cost. Setup: create a Storage Account in Azure. In Diagnostic Settings, select Archive to a Storage Account, choose the account. Logs are written as JSON blobs organized by date and category. The drawback: logs in Storage are not easily queryable for ad-hoc investigations -- to query them, you must either download and parse the JSON files locally or use Azure Data Factory / Synapse to ingest them into a queryable format. The primary use case is compliance archiving and forensic export (download the relevant date range, parse with PowerShell or Python for investigation), not day-to-day SIEM queries. Cost: Azure Blob Storage LRS runs approximately $0.018 per GB per month for cool tier, making 1-year retention of 15 GB/month approximately $3.24 per month -- very cheap as a backup archive alongside a primary SIEM.

Recommended Retention Tiers by Use Case

Operational security and incident response: 90-day hot retention in Log Analytics or Sentinel is sufficient for most investigations and is the standard recommendation. This covers the typical dwell time of modern ransomware operators (5 to 30 days) plus investigation time. Compliance (SOC 2, ISO 27001, HIPAA): most frameworks require 1-year log retention. Combine 90-day hot retention (Log Analytics or Sentinel) with a Storage Account archive for the remainder of the year. The combination costs significantly less than keeping all logs in hot storage for a full year. Forensic/long-term investigation: 2-year retention at the Sentinel archive tier for organizations that have experienced significant incidents and need historical baseline data for investigation. This tier is read-only (restore jobs required) but is queryable without manual extraction. Action item: configure Diagnostic Settings today even if budget for a full SIEM is not available -- a basic Log Analytics workspace with 90-day retention is under $60/month for most organizations and is infinitely better than the 30-day default.

The bottom line

The default 30-day Entra ID log retention is inadequate for security investigations. The fix is configuring Diagnostic Settings to export logs to Log Analytics, Sentinel, or Storage -- a 30-minute configuration task. For most organizations, a Log Analytics workspace with 90-day retention at $15 to $60 per month is the right starting point. If Microsoft Sentinel is already licensed, connect the Entra ID data connector immediately.

Frequently asked questions

Can I retroactively get Entra ID logs that have already been deleted?

No. Once logs age out of Microsoft's retention window (7 or 30 days depending on license), they are permanently gone from Microsoft's infrastructure. Diagnostic Settings export only forwards events going forward from the configuration date. This is why configuring export before an incident occurs is critical -- there is no recovery path for logs that were never exported.

Does the Unified Audit Log in Microsoft 365 cover the same data as Entra ID Diagnostic Settings?

Partially. The Microsoft 365 Unified Audit Log (Microsoft Purview Audit) captures Entra ID audit events (account changes, role assignments) but does not include the detailed sign-in log data (IP address, location, device, MFA method, risk score) that SignInLogs and NonInteractiveUserSignInLogs contain. For identity security investigations, the Diagnostic Settings export to Log Analytics is more valuable than the Unified Audit Log because it includes the full sign-in context. Use both: Purview Audit for compliance and operational actions, Diagnostic Settings for identity authentication forensics.

How much storage does Entra ID sign-in log export actually use?

It depends on the number of users and applications. A rough estimate: 50 to 200 bytes per sign-in event. An organization with 1,000 active users averaging 20 sign-ins per day generates approximately 1 million events per month, or roughly 100 MB to 200 MB. A 5,000-user organization generates 2 to 5 GB per month across all log categories combined. These are small numbers compared to endpoint or network log volumes, making Entra ID log retention very cost-effective relative to its forensic value.

What Entra ID P license do I need for Diagnostic Settings?

Diagnostic Settings for Entra ID logs are available with Entra ID P1 or P2 licenses (or Microsoft 365 E3/E5 which include P1/P2). The free tier does not support Diagnostic Settings. However, all sign-in logs (regardless of license tier) are available in the Entra portal for 7 days (free) or 30 days (P1/P2) -- the Diagnostic Settings feature extends retention by streaming to external destinations.

What is the difference between the SignInLogs and AADNonInteractiveUserSignInLogs tables in Log Analytics?

SignInLogs (interactive user sign-ins) captures sign-in events where the user provided credentials or completed MFA: browser logins, native application sign-ins with an interactive credential prompt. AADNonInteractiveUserSignInLogs captures sign-ins where the user was not prompted but an OAuth token refresh or silent authentication occurred on their behalf: background token refreshes, single sign-on events, and access token acquisitions where a cached token or PRT was used. The non-interactive logs are typically 5 to 10 times higher volume than interactive logs but are critical for detecting token theft replay -- an attacker using a stolen refresh token generates non-interactive sign-in events from their IP, not the victim's.

How long does Entra ID retain sign-in logs by default and what options exist for longer retention?

Entra ID retains sign-in logs for 30 days for P1/P2 tenants and 7 days for free/basic tenants in the portal. These are the portal-accessible retention windows; the underlying audit infrastructure may retain longer but is not queryable after the portal cutoff. For compliance frameworks that require 90-day to 1-year log retention (SOC 2, HIPAA, PCI DSS), you must export logs before the retention window expires. Export options: Diagnostic Settings in Entra ID can stream logs to a Log Analytics Workspace (Microsoft Sentinel), Azure Storage Account, or Azure Event Hub in near-real-time. Storage Accounts are the cheapest long-term archive (roughly $0.02/GB/month for cool tier). Log Analytics retains data for 30 days by default with configurable extension up to 2 years at additional cost. Event Hub is used when forwarding to a third-party SIEM (Splunk, QRadar) that consumes the stream via its Event Hub connector. Configure Diagnostic Settings immediately after tenant creation -- Entra ID does not backfill logs retroactively, so any period before export configuration is permanently unrecoverable.

Sources & references

  1. Microsoft: Entra ID Activity Log Retention
  2. Microsoft: Diagnostic Settings for Entra ID Logs

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.