Azure AD activity logs in Azure Monitor

Using Diagnostic settings in Azure Active Directory (Azure AD), you can route activity logs to several endpoints for long term retention and data insights. This feature allows you to:

  • Archive Azure AD activity logs to an Azure storage account.
  • Stream Azure AD activity logs to an Azure event hub for analytics, using popular Security Information and Event Management (SIEM) tools such as Splunk, QRadar, and Microsoft Sentinel.
  • Integrate Azure AD activity logs with your own custom log solutions by streaming them to an event hub.
  • Send Azure AD activity logs to Azure Monitor to enable rich visualizations, monitoring, and alerting on the connected data.

Supported reports

You can route Azure AD audit logs and sign-in logs to your Azure Storage account, an event hub, Azure Monitor, or a custom solution.

  • Audit logs: The audit logs activity report gives you access to the history of every task that's performed in your tenant.
  • Sign-in logs: With the sign-in activity report, you can determine who performed the tasks that are reported in the audit logs.
  • Provisioning logs: With the provisioning logs, you can monitor which users have been created, updated, and deleted in all your third-party applications.
  • Risky users logs: With the risky users logs, you can monitor changes in user risk level and remediation activity.
  • Risk detections logs: With the risk detections logs, you can monitor user's risk detections and analyze trends in risk activity detected in your organization.

Getting started

To use this feature, you need the appropriate license and roles.

  • An Azure subscription. If you don't have an Azure subscription, you can sign up for a free trial.
  • Azure AD Free, Basic, Premium 1, or Premium 2 license. You can find the license type of your tenant on the Overview page in Azure AD.
  • Azure AD Premium 1, or Premium 2 license, to access the Azure AD sign-in logs in the Azure portal.
  • Global Administrator or Security Administrator access for the Azure AD tenant.

Depending on where you want to route the audit log data, you also need one of the following endpoints:

Once you have your endpoint established, go to Azure AD and then Diagnostic settings. From here, you can choose what logs to send to the endpoint of your choice. For more information, see the Create diagnostic settings section of the Diagnostic settings in Azure Monitor article.

Cost considerations

If you already have an Azure AD license, you need an Azure subscription to set up the storage account and Event Hubs. The Azure subscription comes at no cost, but you have to pay to utilize Azure resources. These resources could include the storage account that you use for archival and the Event Hubs that you use for streaming. The amount of data and, thus, the cost incurred, can vary significantly depending on the tenant size.

Azure Monitor provides the option to exclude whole events, fields, or parts of fields when ingesting logs from Azure AD. Learn more about this cost saving feature in Data collection transformation in Azure Monitor.

Storage size for activity logs

Every audit log event uses about 2 KB of data storage. Sign-in event logs are about 4 KB of data storage. For a tenant with 100,000 users, which would incur about 1.5 million events per day, you would need about 3 GB of data storage per day. Because writes occur in approximately five-minute batches, you can anticipate around 9,000 write operations per month.

The following table contains a cost estimate of, depending on the size of the tenant, a general-purpose v2 storage account in West US for at least one year of retention. To create a more accurate estimate for the data volume that you anticipate for your application, use the Azure storage pricing calculator.

Log category Number of users Events per day Volume of data per month (est.) Cost per month (est.) Cost per year (est.)
Audit 100,000 1.5 million 90 GB $1.93 $23.12
Audit 1,000 15,000 900 MB $0.02 $0.24
s 1,000 34,800 4 GB $0.13 $1.56
s 100,000 15 million 1.7 TB $35.41 $424.92

If you want to know for how long the activity data is stored in a Premium tenant, see: How long does Azure AD store the data?

Event Hubs messages for activity logs

Events are batched into approximately five-minute intervals and sent as a single message that contains all the events within that timeframe. A message in the Event Hubs has a maximum size of 256 KB. If the total size of all the messages within the timeframe exceeds that volume, multiple messages are sent.

For example, about 18 events per second ordinarily occur for a large tenant of more than 100,000 users, a rate that equates to 5,400 events every five minutes. Audit logs are about 2 KB per event, which equates to 10.8 MB of data. Therefore, 43 messages are sent to the event hub in that five-minute interval.

The following table contains estimated costs per month for a basic event hub in West US. The volume of event data can vary from tenant to tenant, based on factors like user sign-in behavior. To calculate an accurate estimate of the data volume that you anticipate for your application, use the Event Hubs pricing calculator.

Log category Number of users Events per second Events per five-minute interval Volume per interval Messages per interval Messages per month Cost per month (est.)
Audit 100,000 18 5,400 10.8 MB 43 371,520 $10.83
Audit 1,000 0.1 52 104 KB 1 8,640 $10.80
s 100,000 18000 5,400,000 10.8 GB 42188 364,504,320 $23.9
s 1,000 178 53,400 106.8 MB 418 3,611,520 $11.06

Azure Monitor logs cost considerations

Log category Number of users Events per day Events per month (30 days) Cost per month in USD (est.)
Audit and Sign-ins 100,000 16,500,000 495,000,000 $1093.00
Audit 100,000 1,500,000 45,000,000 $246.66
s 100,000 15,000,000 450,000,000 $847.28

To review costs related to managing the Azure Monitor logs, see Azure Monitor Logs pricing details.

Frequently asked questions

This section answers frequently asked questions and discusses known issues with Azure AD logs in Azure Monitor.

Q: Which logs are included?

A: The sign-in activity logs and audit logs are both available for routing through this feature, although B2C-related audit events are currently not included. To find out which types of logs and which feature-based logs are currently supported, see Audit log schema and Sign-in log schema.

Q: What happens if an Administrator changes the retention period of a diagnostic setting?

A: The new retention policy will be applied to logs collected after the change. Logs collected before the policy change will be unaffected.

Q: How much will it cost to store my data?

A: The storage costs depend on both the size of your logs and the retention period you choose. For a list of the estimated costs for tenants, which depend on the volume of logs generated, see the Storage size for activity logs section.

Q: How much will it cost to stream my data to an event hub?

A: The streaming costs depend on the number of messages you receive per minute. This article discusses how the costs are calculated and lists cost estimates, which are based on the number of messages.

Q: How do I integrate Azure AD activity logs with my SIEM tools?

A: You can do integrate with your SIEM tools in two ways:

Q: What SIEM tools are currently supported?

A: Currently, Azure Monitor is supported by Splunk, IBM QRadar, Sumo Logic, ArcSight, LogRhythm, and For more information about how the connectors work, see Stream Azure monitoring data to an event hub for consumption by an external tool.

Q: How do I integrate Azure AD activity logs with my Splunk instance?

A: First, route the Azure AD activity logs to an event hub, then follow the steps to Integrate activity logs with Splunk.

Q: How do I integrate Azure AD activity logs with Sumo Logic?

A: First, route the Azure AD activity logs to an event hub, then follow the steps to Install the Azure AD application and view the dashboards in SumoLogic.

Q: Can I access the data from an event hub without using an external SIEM tool?

A: Yes. To access the logs from your custom application, you can use the Event Hubs API.

Next steps