📝 Microsoft Entra ID Diagnostic Setting does not capture Microsoft Entra activity logs 🟢

• Contextual name: 📝 Diagnostic Setting does not capture Microsoft Entra activity logs 🟢
• ID: /ce/ca/azure/microsoft-entra-id/send-activity-logs
• Located in: 📁 Microsoft Entra ID

Flags

• 🟢 Impossible policy
• 🟢 Policy with categories
• 🟢 Policy with type

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Description

Open File

Description

Ensure that a Microsoft Entra diagnostic setting is configured to send Microsoft Entra activity logs to a suitable destination, such as a Log Analytics workspace, storage account, or event hub. This enables centralized monitoring and analysis of Microsoft Entra activity logs.

Rationale

Microsoft Entra activity logs enables you to assess many aspects of your Microsoft Entra tenant. Configuring diagnostic settings in Microsoft Entra ensures these logs are collected and sent to an appropriate destination for monitoring, analysis, and retention.

Impact

To export sign-in data, your organization needs an Azure AD P1 or P2 license.

The amount of data logged and, thus, the cost incurred can vary significantly depending on the tenant size.

See the following pricing calculations for respective services:

• Log Analytics: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/cost-logs#pricing-model
• Azure Storage: https://azure.microsoft.com/en-gb/pricing/details/storage/blobs/
• Event Hubs: https://azure.microsoft.com/en-gb/pricing/details/event-hubs/

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to Microsoft Entra ID.

2. Under Monitoring, click Diagnostic settings.

3. Click + Add diagnostic setting.

4. Provide a Diagnostic setting name.

5. Under Logs > Categories, check the box next to each of the following logs:

   • AuditLogs
   • SignInLogs
   • NonInteractiveUserSignInLogs
   • ServicePrincipalSignInLogs
   • ManagedIdentitySignInLogs
   • ProvisioningLogs
   • ADFSSignInLogs
   • RiskyUsers
   • UserRiskEvents
   • NetworkAccessTrafficLogs
   • RiskyServicePrincipals
   • ServicePrincipalRiskEvents
   • EnrichedOffice365AuditLogs
   • MicrosoftGraphActivityLogs
   • RemoteNetworkHealthLogs
   • NetworkAccessAlerts

6. Configure an appropriate destination for the logs.

7. Click Save.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS Azure v4.0.0 → 💼 7.1.1.9 Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination (Manual)			1
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			59