Редактиране

Споделяне чрез


Configure Microsoft Entra diagnostic settings for activity logs

Using diagnostic settings in Microsoft Entra ID, you can integrate logs with Azure Monitor, stream logs to an event hub, or archive logs to a storage account. You can create multiple diagnostic settings to send activity logs to different destinations.

This article provides the steps to configure Microsoft Entra diagnostic settings for activity logs.

Prerequisites

To configure diagnostic settings, you need:

How to access diagnostic settings

This article provides the steps to access diagnostic settings for the Microsoft Entra logs. If you need to configure diagnostic settings for Azure Monitor or Azure resources outside of Microsoft Entra ID, see Diagnostic settings in Azure Monitor.

  1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.

  2. Browse to Identity > Monitoring & health > Diagnostic settings. The General settings appear by default.

  3. Any existing diagnostic settings appear in the table. Select edit settings to change an existing setting, or select Add diagnostic setting to create a new setting.

    Screenshot of the Microsoft Entra diagnostic settings page.

Custom security attributes

The custom security attributes logs are a subset of the standard audit logs. You must have the Attribute Log Administrator role active to configure diagnostic settings for the custom security attributes. For more information, see Custom security attributes overview.

To configure diagnostic settings for the custom security attribute audit logs, select Custom security attributes. The process to configure diagnostic settings is the same for both categories of logs.

Screenshot of the custom security attributes page for diagnostic settings.

Tip

Microsoft recommends that you keep your custom security attribute audit logs separate from your directory audit logs so that attribute assignments are not revealed inadvertently.

Select the logs and destination

When you create or edit a diagnostic setting, you can choose which logs to include and where to send them.

Log categories

You can select one, some, or all of the available logs. Some logs might be part of a preview feature. Even if you select a log category, you might not see any data until the feature is generally available. For a description of the available logs, see Log options for streaming to endpoints.

Screenshot of the log categories in diagnostic settings.

Destination details

You can send logs to a Log Analytics workspace, stream logs to an event hub, or archive logs to a storage account. Through Azure Native ISV services, you can send logs to services through the Azure Marketplace. For more information, see Azure Native ISV services overview.

You must have a destination set up prior to configuring diagnostic settings.

When you select a destination, more fields appear. Select the appropriate subscription and destination from the fields that appear.

Screenshot of the destination options in diagnostic settings.

For details on configuring diagnostic settings for a specific destination, see the following articles:

Basic process

The basic steps for configuring diagnostics settings are as follows:

  1. To create a new diagnostic setting, select Add diagnostic setting.

  2. Provide a name.

  3. Select the logs you want to include.

  4. Select the destination.

  5. Select the subscription and the destination from the dropdown menus that appear.

  6. Select the Save button.

    Screenshot of the create diagnostic settings page, with several logs selected to go to a Log Analytics workspace.

Note

It might take up to three days for the logs to start appearing in the destination.