Extending Azure Active Directory Log Retention

Admins can retain the audit and sign-in activity data for longer than the default retention period outlined above by routing it to an Azure storage account using Azure Monitor.

Prerequisites

To use this feature, you need:

• An Azure subscription. If you don't have an Azure subscription, you can sign up for a free trial.
• An Azure AD tenant.
• A user who's a global administrator or security administrator for the Azure AD tenant.
• A Log Analytics workspace in your Azure subscription. Learn how to create a Log Analytics workspace.

Licensing requirements

Using this feature requires an Azure AD Premium P1 or P2 tenant. You can find the license type of your tenant on the Overview page in Azure Active Directory.

If you want to know for how long the activity data is stored in a Premium tenant, see: How long does Azure AD store the data?

Send logs to Azure Monitor

1. Sign in to the Azure portal.

2. Select Azure Active Directory > Diagnostic settings -> Add diagnostic setting. You can also select Export Settings from the Audit Logs or Sign-ins page to get to the diagnostic settings configuration page.

3. In the Diagnostic settings menu, select the Send to Log Analytics workspace check box, and then select Configure.

4. Select the Log Analytics workspace you want to send the logs to or create a new workspace in the provided dialog box.

5. Do either or both of the following:

   • To send audit logs to the Log Analytics workspace, select the AuditLogs check box.
   • To send sign-in logs to the Log Analytics workspace, select the SignInLogs check box.

6. Select Save to save the setting.

   

7. After about 15 minutes, verify that events are streamed to your Log Analytics workspace.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics