How To: Export risk data

Azure AD stores reports and security signals for a defined period of time. When it comes to risk information that period may not be long enough.

Report / Signal Azure AD Free Azure AD Premium P1 Azure AD Premium P2
Audit logs 7 days 30 days 30 days
s 7 days 30 days 30 days
Azure AD MFA usage 30 days 30 days 30 days
Risky sign-ins 7 days 30 days 30 days

Organizations can choose to store data for longer periods by changing diagnostic settings in Azure AD to send RiskyUsers, UserRiskEvents, RiskyServicePrincipals, and ServicePrincipalRiskEvents data to a Log Analytics workspace, archive data to a storage account, stream data to an event hub, or send data to a partner solution. Find these options in the Azure portal > Azure Active Directory, Diagnostic settings > Edit setting. If you don't have a diagnostic setting, follow the instructions in the article Create diagnostic settings to send platform logs and metrics to different destinations to create one.

Diagnostic settings screen in Azure AD showing existing configuration

Log Analytics

Log Analytics allows organizations to query data using built in queries or custom created Kusto queries, for more information, see Get started with log queries in Azure Monitor.

Once enabled you'll find access to Log Analytics in the Azure portal > Azure AD > Log Analytics. The following tables are of most interest to Identity Protection administrators:

  • AADRiskyUsers - Provides data like the Risky users report in Identity Protection.
  • AADUserRiskEvents - Provides data like the Risk detections report in Identity Protection.
  • RiskyServicePrincipals - Provides data like the Risky workload identities report in Identity Protection.
  • ServicePrincipalRiskEvents - Provides data like the Workload identity detections report in Identity Protection.

Log Analytics view showing a query against the AADUserRiskEvents table showing the top 5 events

In the previous image, the following query was run to show the most recent five risk detections triggered.

| take 5

Another option is to query the AADRiskyUsers table to see all risky users.



Log Analytics only has visibility into data as it is streamed. Events prior to enabling the sending of events from Azure AD do not appear.

Storage account

By routing logs to an Azure storage account, you can keep it for longer than the default retention period. For more information, see the article Tutorial: Archive Azure AD logs to an Azure storage account.

Azure Event Hubs

Azure Event Hubs can look at incoming data from sources like Azure AD Identity Protection and provide real-time analysis and correlation. For more information, see the article Tutorial: Stream Azure Active Directory logs to an Azure event hub

Other options

Organizations can choose to connect Azure AD data to Microsoft Sentinel as well for further processing.

Organizations can use the Microsoft Graph API to programatically interact with risk events.

Next steps