How To: Export risk data
Azure AD stores reports and security signals for a defined period of time. When it comes to risk information that period may not be long enough.
|Report / Signal||Azure AD Free||Azure AD Premium P1||Azure AD Premium P2|
|Audit logs||7 days||30 days||30 days|
|Sign-ins||7 days||30 days||30 days|
|Azure AD MFA usage||30 days||30 days||30 days|
|Risky sign-ins||7 days||30 days||30 days|
Organizations can choose to store data for longer periods by changing diagnostic settings in Azure AD to send RiskyUsers, UserRiskEvents, RiskyServicePrincipals, and ServicePrincipalRiskEvents data to a Log Analytics workspace, archive data to a storage account, stream data to an event hub, or send data to a partner solution. Find these options in the Azure portal > Azure Active Directory, Diagnostic settings > Edit setting. If you don't have a diagnostic setting, follow the instructions in the article Create diagnostic settings to send platform logs and metrics to different destinations to create one.
Log Analytics allows organizations to query data using built in queries or custom created Kusto queries, for more information, see Get started with log queries in Azure Monitor.
Once enabled you'll find access to Log Analytics in the Azure portal > Azure AD > Log Analytics. The following tables are of most interest to Identity Protection administrators:
- AADRiskyUsers - Provides data like the Risky users report in Identity Protection.
- AADUserRiskEvents - Provides data like the Risk detections report in Identity Protection.
- RiskyServicePrincipals - Provides data like the Risky workload identities report in Identity Protection.
- ServicePrincipalRiskEvents - Provides data like the Workload identity detections report in Identity Protection.
In the previous image, the following query was run to show the most recent five risk detections triggered.
AADUserRiskEvents | take 5
Another option is to query the AADRiskyUsers table to see all risky users.
Log Analytics only has visibility into data as it is streamed. Events prior to enabling the sending of events from Azure AD do not appear.
By routing logs to an Azure storage account, you can keep it for longer than the default retention period. For more information, see the article Tutorial: Archive Azure AD logs to an Azure storage account.
Azure Event Hubs
Azure Event Hubs can look at incoming data from sources like Azure AD Identity Protection and provide real-time analysis and correlation. For more information, see the article Tutorial: Stream Azure Active Directory logs to an Azure event hub
Organizations can choose to connect Azure AD data to Microsoft Sentinel as well for further processing.
Organizations can use the Microsoft Graph API to programatically interact with risk events.
- What is Azure Active Directory monitoring?
- Install and use the log analytics views for Azure Active Directory
- Connect data from Azure Active Directory (Azure AD) Identity Protection
- Azure Active Directory Identity Protection and the Microsoft Graph PowerShell SDK
- Tutorial: Stream Azure Active Directory logs to an Azure event hub