Sign-in logs older than the 30 day limit

Jason Barden 36 Reputation points
2020-06-18T19:25:07.473+00:00

I have a user that fell for a phishing scam, the investigating party is wanting sign in information from the incident but was about 100 days ago. is there anyway to gain access to those logs for legal investigation purposes?
Specifically i am looking for the User sign-in logs in the Azure AD.
Thanks for any help!!

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 119.6K Reputation points MVP Volunteer Moderator
    2020-06-18T19:29:49.477+00:00

    Not unless you're exporting them somewhere. If you are using Office 365, you can use the Unified audit log, which ingests events from Azure AD as well: https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide

    As detailed in the article, depending on the license you can get events from up to 90 days/1 year back.

    4 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2020-06-18T22:58:32.027+00:00

    @Jason Barden
    Unfortunately, Azure AD does not store any activity data past 30 days.

    10354-signindata.jpg

    Link: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention#how-long-does-azure-ad-store-the-data

    ----------

    Please let us know if any reply/answer helped resolve your question. If so, please remember to "mark as answer" so that others in the community facing similar issues can easily find a solution.

    3 people found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.