Ingesting Azure AD Activity reports & logs with Sentinel Free tier ?

EnterpriseArchitect 4,741 Reputation points
2022-12-05T05:44:38.923+00:00

Hi People,

I have the requirement to retain all Audit logs, Sign-ins and Azure AD MFA usage for at least 1 year.

Based on this link: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention#how-long-does-azure-ad-store-the-data it is only 30 and 90 days maximum regardless any license I assigned to the users from E5 down to the Invited Guest user.

Would it be possible to ingest them to Microsoft Sentinel using the https://learn.microsoft.com/en-us/azure/sentinel/billing?tabs=free-data-meters#free-data-sources the Free tier ?

Any help and clarification would be greatly appreciated.

Thank you.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,592 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
976 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions
0 comments
Accepted answer
  1. Clive Watson 5,711 Reputation points MVP
    2022-12-05T13:23:19.22+00:00

    The free sources are marked by Microsoft when ingested as IsBillable==false, you can't ingest a billable resource and make it free.

    Billable data will be categorized as IsBillable==true. You do get the ingested data in the Workspace retained, for up to 90days as free (only when you have Sentinel associated to the Log Analytics workspace, you can change the retention setting from 30 --> 90days).

    If this helps, please 'accept' the answer.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest