Sign-in logs older than the 30 day limit

Jason Barden 36 Reputation points
2020-06-18T19:25:07.473+00:00

I have a user that fell for a phishing scam, the investigating party is wanting sign in information from the incident but was about 100 days ago. is there anyway to gain access to those logs for legal investigation purposes?
Specifically i am looking for the User sign-in logs in the Azure AD.
Thanks for any help!!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,537 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 100K Reputation points MVP
    2020-06-18T19:29:49.477+00:00

    Not unless you're exporting them somewhere. If you are using Office 365, you can use the Unified audit log, which ingests events from Azure AD as well: https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide

    As detailed in the article, depending on the license you can get events from up to 90 days/1 year back.

    4 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,541 Reputation points Microsoft Employee
    2020-06-18T22:58:32.027+00:00

    @Jason Barden
    Unfortunately, Azure AD does not store any activity data past 30 days.

    10354-signindata.jpg

    Link: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention#how-long-does-azure-ad-store-the-data

    ----------

    Please let us know if any reply/answer helped resolve your question. If so, please remember to "mark as answer" so that others in the community facing similar issues can easily find a solution.

    3 people found this answer helpful.