Where are the audit logs and sign-in logs stored within Azure?

Question

I apologize for this question. I am not super familiar with the Azure environment. So I can find the audit logs and sign-in logs within Azure. They have been saved/stored for the past 30 days, I cannot find where these logs are being stored. Whoever set up the environment within the organization does not seem to have set up a specific storage container for this purpose. So where do I locate (or at least look for) where these 30-day logs are being stored and where do I locate how these logs were configured? Thank you.

Answer 1

These are not Azure logs - these are Entra ID logs. You won't find them in your Azure subscription - because they exist outside of it. Their location and storage are managed for you - you simply access them through one of predetermined interfaces, including Entra Admin Center or programmatically.

More at https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins and https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Answer 2

Hello Aaron Czupryn,

Greetings! Welcome to Microsoft Q&A Platform.

I understand that you would like to know where the audit logs and sign-in logs are stored and how to fetch these logs.

Audit logs and sign-in logs are typically stored in different locations depending on the platform and services you are using.

Audit Logs: These logs capture all changes made to your Azure AD resources. They are stored in the Azure AD portal and can be integrated with Azure Monitor for advanced querying and long-term storage.

Sign-In Logs: These logs record all sign-in activities and are also stored in the Azure AD portal. Like audit logs, they can be sent to Azure Monitor for detailed analysis and retention.

Please consider below following steps to retrieve these logs,

To understand how these logs were configured, check the Diagnostic settings for each service. This will show you where the logs are being sent and the retention policies in place.

To see how logs are configured, go to the Azure Active Directory > Diagnostic settings. Here, you can see if logs are being sent to a Log Analytics workspace, an Event Hub, or a storage account.

If logs are being stored in a storage account, you can find them in the $logs container within the storage account. Navigate to Storage accounts in the Azure portal, select the relevant account, and look for the $logs container.

If you are using a Log Analytics workspace, the logs might be stored there. You can check this by navigating to Log Analytics workspaces in the Azure portal and selecting the relevant workspace. Under the Logs section, you can query for audit and sign-in logs.

refer the below following Ms Doc for more details,

https://learn.microsoft.com/en-us/azure/storage/common/storage-analytics-logging,

https://learn.microsoft.com/en-us/compliance/assurance/assurance-audit-logging,

https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs

https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins

refer this doc for querying logs - https://techcommunity.microsoft.com/t5/microsoft-entra/intro-to-querying-azure-ad-sign-in-and-audit-logs-held-in-azure/m-p/798199

Hope this answer helps! please let us know if you have any further queries. I’m happy to assist you further.

---

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.