Tutorial: Archive Azure AD logs to an Azure storage account
In this tutorial, you learn how to set up Azure Monitor diagnostics settings to route Azure Active Directory (Azure AD) logs to an Azure storage account.
To use this feature, you need:
- An Azure subscription with an Azure storage account. If you don't have an Azure subscription, you can sign up for a free trial.
- An Azure AD tenant.
- A user who's a global administrator or security administrator for the Azure AD tenant.
Archive logs to an Azure storage account
Sign in to the Azure portal.
Select Azure Active Directory > Monitoring > Audit logs.
Select Export Data Settings.
In the Diagnostics settings pane, do either of the following:
- To change existing setting, select Edit setting next to the diagnostic setting you want to update.
- To add new settings, select Add diagnostic setting.
You can have up to three settings.
Once in the Diagnostic setting pane if you're creating a new setting, enter a name for the setting to remind you of its purpose (for example, Send to Azure storage account). You can't change the name of an existing setting.
Under Destination Details Select the Archive to a storage account check box.
Select the Azure subscription in the Subscription menu and storage account in the Storage account menu that you want to route the logs to.
Select all the relevant categories in under Category details:
Do either or both of the following:
select the AuditLogs check box to send audit logs to the storage account.
select the SignInLogs check box to send sign-in logs to the storage account.
After the categories have been selected, in the Retention days field, type in the number of days of retention you need of your log data. By default, this value is 0, which means that logs are retained in the storage account indefinitely. If you set a different value, events older than the number of days selected are automatically cleaned up.
Select Save to save the setting.
Close the window to return to the Diagnostic settings pane.