This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 44%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
I have a user that fell for a phishing scam, the investigating party is wanting sign in information from the incident but was about 100 days ago. is there anyway to gain access to those logs for legal investigation purposes?
Specifically i am looking for the User sign-in logs in the Azure AD.
Thanks for any help!!
Not unless you're exporting them somewhere. If you are using Office 365, you can use the Unified audit log, which ingests events from Azure AD as well: https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide
As detailed in the article, depending on the license you can get events from up to 90 days/1 year back.
We are using office 365 and it looks like this would have worked if i had enabled the logging. it was not enabled by default.
Thanks for that answer, any other ideas by chance?
@Jason Barden
Unfortunately, Azure AD does not store any activity data past 30 days.
----------
Please let us know if any reply/answer helped resolve your question. If so, please remember to "mark as answer" so that others in the community facing similar issues can easily find a solution.
Hi @JamesTran-MSFT , So regardless of the license assigned to the users E5 or even Guest, they will be retained only for 30 days?
I needed to turn up logging and can't seem to figure it out either. MS Ticket then.