Azure AD activity logs in Azure Monitor
Using Diagnostic settings in Azure Active Directory (Azure AD), you can route activity logs to several endpoints for long term retention and data insights. This feature allows you to:
- Archive Azure AD activity logs to an Azure storage account.
- Stream Azure AD activity logs to an Azure event hub for analytics, using popular Security Information and Event Management (SIEM) tools such as Splunk, QRadar, and Microsoft Sentinel.
- Integrate Azure AD activity logs with your own custom log solutions by streaming them to an event hub.
- Send Azure AD activity logs to Azure Monitor to enable rich visualizations, monitoring, and alerting on the connected data.
You can route Azure AD audit logs and sign-in logs to your Azure Storage account, an event hub, Azure Monitor, or a custom solution.
- Audit logs: The audit logs activity report gives you access to the history of every task that's performed in your tenant.
- Sign-in logs: With the sign-in activity report, you can determine who performed the tasks that are reported in the audit logs.
- Provisioning logs: With the provisioning logs, you can monitor which users have been created, updated, and deleted in all your third-party applications.
- Risky users logs: With the risky users logs, you can monitor changes in user risk level and remediation activity.
- Risk detections logs: With the risk detections logs, you can monitor user's risk detections and analyze trends in risk activity detected in your organization.
To use this feature, you need the appropriate license and roles.
- An Azure subscription. If you don't have an Azure subscription, you can sign up for a free trial.
- Azure AD Free, Basic, Premium 1, or Premium 2 license. You can find the license type of your tenant on the Overview page in Azure AD.
- Azure AD Premium 1, or Premium 2 license, to access the Azure AD sign-in logs in the Azure portal.
- Global Administrator or Security Administrator access for the Azure AD tenant.
Depending on where you want to route the audit log data, you also need one of the following endpoints:
- An Azure Log Analytics workspace to send Azure AD logs to Azure Monitor.
- An Azure storage account that you have
- We recommend that you use a general storage account and not a Blob storage account.
- For storage pricing information, see the Azure Storage pricing calculator.
- An Azure Event Hubs namespace to integrate with third-party solutions.
Once you have your endpoint established, go to Azure AD and then Diagnostic settings. From here, you can choose what logs to send to the endpoint of your choice. For more information, see the Create diagnostic settings section of the Diagnostic settings in Azure Monitor article.
If you already have an Azure AD license, you need an Azure subscription to set up the storage account and Event Hubs. The Azure subscription comes at no cost, but you have to pay to utilize Azure resources. These resources could include the storage account that you use for archival and the Event Hubs that you use for streaming. The amount of data and, thus, the cost incurred, can vary significantly depending on the tenant size.
Azure Monitor provides the option to exclude whole events, fields, or parts of fields when ingesting logs from Azure AD. Learn more about this cost saving feature in Data collection transformation in Azure Monitor.
Storage size for activity logs
Every audit log event uses about 2 KB of data storage. Sign-in event logs are about 4 KB of data storage. For a tenant with 100,000 users, which would incur about 1.5 million events per day, you would need about 3 GB of data storage per day. Because writes occur in approximately five-minute batches, you can anticipate around 9,000 write operations per month.
The following table contains a cost estimate of, depending on the size of the tenant, a general-purpose v2 storage account in West US for at least one year of retention. To create a more accurate estimate for the data volume that you anticipate for your application, use the Azure storage pricing calculator.
|Log category||Number of users||Events per day||Volume of data per month (est.)||Cost per month (est.)||Cost per year (est.)|
|Audit||100,000||1.5 million||90 GB||$1.93||$23.12|
|Sign-ins||100,000||15 million||1.7 TB||$35.41||$424.92|
If you want to know for how long the activity data is stored in a Premium tenant, see: How long does Azure AD store the data?
Event Hubs messages for activity logs
Events are batched into approximately five-minute intervals and sent as a single message that contains all the events within that timeframe. A message in the Event Hubs has a maximum size of 256 KB. If the total size of all the messages within the timeframe exceeds that volume, multiple messages are sent.
For example, about 18 events per second ordinarily occur for a large tenant of more than 100,000 users, a rate that equates to 5,400 events every five minutes. Audit logs are about 2 KB per event, which equates to 10.8 MB of data. Therefore, 43 messages are sent to the event hub in that five-minute interval.
The following table contains estimated costs per month for a basic event hub in West US. The volume of event data can vary from tenant to tenant, based on factors like user sign-in behavior. To calculate an accurate estimate of the data volume that you anticipate for your application, use the Event Hubs pricing calculator.
|Log category||Number of users||Events per second||Events per five-minute interval||Volume per interval||Messages per interval||Messages per month||Cost per month (est.)|
Azure Monitor logs cost considerations
|Log category||Number of users||Events per day||Events per month (30 days)||Cost per month in USD (est.)|
|Audit and Sign-ins||100,000||16,500,000||495,000,000||$1093.00|
To review costs related to managing the Azure Monitor logs, see Azure Monitor Logs pricing details.
Frequently asked questions
This section answers frequently asked questions and discusses known issues with Azure AD logs in Azure Monitor.
Q: Which logs are included?
A: The sign-in activity logs and audit logs are both available for routing through this feature, although B2C-related audit events are currently not included. To find out which types of logs and which feature-based logs are currently supported, see Audit log schema and Sign-in log schema.
Q: What happens if an Administrator changes the retention period of a diagnostic setting?
A: The new retention policy will be applied to logs collected after the change. Logs collected before the policy change will be unaffected.
Q: How much will it cost to store my data?
A: The storage costs depend on both the size of your logs and the retention period you choose. For a list of the estimated costs for tenants, which depend on the volume of logs generated, see the Storage size for activity logs section.
Q: How much will it cost to stream my data to an event hub?
A: The streaming costs depend on the number of messages you receive per minute. This article discusses how the costs are calculated and lists cost estimates, which are based on the number of messages.
Q: How do I integrate Azure AD activity logs with my SIEM tools?
A: You can do integrate with your SIEM tools in two ways:
Use Azure Monitor with Event Hubs to stream logs to your SIEM tool. First, stream the logs to an event hub and then set up your SIEM tool with the configured event hub.
Use the Reporting Graph API to access the data, and push it into the SIEM system using your own scripts.
Q: What SIEM tools are currently supported?
A: Currently, Azure Monitor is supported by Splunk, IBM QRadar, Sumo Logic, ArcSight, LogRhythm, and Logz.io. For more information about how the connectors work, see Stream Azure monitoring data to an event hub for consumption by an external tool.
Q: How do I integrate Azure AD activity logs with my Splunk instance?
A: First, route the Azure AD activity logs to an event hub, then follow the steps to Integrate activity logs with Splunk.
Q: How do I integrate Azure AD activity logs with Sumo Logic?
A: First, route the Azure AD activity logs to an event hub, then follow the steps to Install the Azure AD application and view the dashboards in SumoLogic.
Q: Can I access the data from an event hub without using an external SIEM tool?
A: Yes. To access the logs from your custom application, you can use the Event Hubs API.
Submit and view feedback for