Retaining Entra Sign-in Logs Beyond 30 Days

In today’s security landscape, retaining audit and sign-in logs for an extended period is crucial for effective threat detection and incident response.

Unfortunately, the default data retention periods for Entra (formerly Azure AD) logs are often too short—particularly for businesses looking to investigate security breaches that might have occurred outside of our default 30-day retention. In this post, we’ll discuss why you should consider longer data retention, and then walk through how to set up a Log Analytics Workspace in Azure to store Entra logs for up to two years.

Understanding Default Entra Log Retention

• Entra ID Free: By default, audit and sign-in logs are retained for 7 days. This is the bare minimum and can be insufficient for meaningful security investigations.
• Entra P1/P2: Retain logs for 30 days by default.
• Security Signals (P2): Provides an additional 60 days for risky sign-in activity.

Thirty days or less of retention often proves insufficient if you need to look back further—especially in the case of advanced persistent threats or delayed reporting of security vulnerabilities.

Ref: Microsoft Entra data retention – Microsoft Entra ID | Microsoft Learn

Real-World Example: The MFA AuthQuake Flaw

A great illustration of why extended retention is critical is the MFA AuthQuake flaw reported (and patched) by Microsoft. Attackers were able to brute force time-based one-time password (TOTP) codes for MFA, exploiting a flaw that allowed them extra time to guess codes. In one real-world scenario, a tenant administrator wanted to investigate potential compromise, but the default log retention was only 30 days and the reported incident dated back further than that. Without extended logs, a deeper investigation simply wasn’t possible.

Key takeaway: Security threats or vulnerabilities may only come to light months after they’ve occurred, and you’ll need log data that stretches back far enough to trace events and understand potential compromises.

1. Delayed or Slow-Burning Attacks
   Advanced persistent threats (APTs) sometimes lie dormant for weeks or months before taking action.

2. Reactive Investigations
   Security flaws might be discovered long after the actual compromise date. Longer log retention is essential for a thorough review.

3. Holistic Visibility
   Longer retention helps paint a more comprehensive picture of user activities, sign-in patterns, and changes in security policies or group membership.

4. Compliance
   Depending on your industry, regulations may require data retention beyond the default periods.

Extending Your Entra Log Retention with Log Analytics

Microsoft offers a first-party solution for log retention using Azure Log Analytics Workspace. Here’s the high-level process:

1. Set Up an Azure Subscription
   You’ll need at least one active Azure subscription. (If you don’t have one, you can create a free trial.)

2. Create a Log Analytics Workspace
   In the Azure Portal, create a resource group (or use an existing one) and then build a new Log Analytics Workspace.

   • Specify a name (e.g., “EntraLogsDemo”) and region.
   • Choose a pricing tier (pay-as-you-go is common for smaller tenants).

3. Configure Diagnostic Settings
   In the Entra Admin Center, navigate to:
   Monitoring & Health → Audit Logs or Sign-In Logs → Export Data Settings → Add Diagnostic Setting

   • Select the logs you want to export (e.g., “AuditLogs” and “SignInLogs”).
   • Choose the Log Analytics Workspace as your destination.

4. Adjust Data Retention Settings
   Back in the Azure Portal, open your Log Analytics Workspace, then navigate to Usage and estimated costs and Data retention.

   • Increase retention to 6 months, 1 year, or up to 2 years.
   • (Optional) Configure a daily cap to limit ingress charges.

5. Set Up Archiving Policies (Optional)
   You can fine-tune settings per table (e.g., keep sign-in logs “hot” for 90 days, then archive them for the remaining duration).

Monitoring and Estimating Costs

Pay-as-you-go pricing charges primarily for data ingestion (per gigabyte) and retention beyond 31 days. For small or midsize businesses, log volumes are often low enough that costs remain negligible—sometimes only a few cents to a few dollars per month. You could expect around 500k sign in logs to be 1GB. Most businesses are going to be far from that. 

1. Usage & Estimated Cost
   In your Log Analytics Workspace, review the Usage and estimated costs page to see real-time data ingestion rates.

2. Azure Pricing Calculator
   Use the Azure Pricing Calculator to estimate monthly costs based on anticipated log ingestion and chosen retention.

3. Alerting
   Configure Azure cost alerts (either at the resource group level or workspace level) to get notified if usage spikes unexpectedly.

When to Consider Microsoft Sentinel

• Smaller Tenants: For small or budget-constrained tenants that simply need extended log retention, Log Analytics alone is sufficient.
• Larger Organizations: If you require robust SIEM capabilities, advanced threat hunting, and automated playbooks, Microsoft Sentinel (formerly Azure Sentinel) might be the better choice. However, it introduces additional licensing costs (beyond the basic ingestion fees).

Pro Tips: Querying Logs with KQL

Final Thoughts

Short retention periods can leave you blind to critical security incidents. By exporting your Entra audit and sign-in logs to a Log Analytics Workspace, you can extend your retention up to two years—helping you investigate incidents, meet compliance needs, and gain deeper visibility into your environment.

If you already use a third-party SIEM or other log management/ingestion tool (Huntress, Blackpoint, RedCanary), Microsoft’s built-in solution is still worth knowing about. It offers a cost-effective, integrated path to longer data retention and robust log analysis.