🛡️ Microsoft Entra ID Diagnostic Setting does not capture Microsoft Entra activity logs🟢⚪

• Contextual name: 🛡️ Diagnostic Setting does not capture Microsoft Entra activity logs🟢⚪
• ID: /ce/ca/azure/microsoft-entra-id/send-activity-logs
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Description

Open File

Description

Ensure that a Microsoft Entra diagnostic setting is configured to send Microsoft Entra activity logs to a suitable destination, such as a Log Analytics workspace, storage account, or event hub. This enables centralized monitoring and analysis of Microsoft Entra activity logs.

Rationale

Microsoft Entra activity logs enables you to assess many aspects of your Microsoft Entra tenant. Configuring diagnostic settings in Microsoft Entra ensures these logs are collected and sent to an appropriate destination for monitoring, analysis, and retention.

Impact

To export sign-in data, your organization needs an Azure AD P1 or P2 license.

The amount of data logged and, thus, the cost incurred can vary significantly depending on the tenant size.

See the following pricing calculations for respective services:

• Log Analytics: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/cost-logs#pricing-model
• Azure Storage: https://azure.microsoft.com/en-gb/pricing/details/storage/blobs/
• Event Hubs: https://azure.microsoft.com/en-gb/pricing/details/event-hubs/

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to Microsoft Entra ID.

2. Under Monitoring, click Diagnostic settings.

3. Click + Add diagnostic setting.

4. Provide a Diagnostic setting name.

5. Under Logs > Categories, check the box next to each of the following logs:

   • AuditLogs
   • SignInLogs
   • NonInteractiveUserSignInLogs
   • ServicePrincipalSignInLogs
   • ManagedIdentitySignInLogs
   • ProvisioningLogs
   • ADFSSignInLogs
   • RiskyUsers
   • UserRiskEvents
   • NetworkAccessTrafficLogs
   • RiskyServicePrincipals
   • ServicePrincipalRiskEvents
   • EnrichedOffice365AuditLogs
   • MicrosoftGraphActivityLogs
   • RemoteNetworkHealthLogs
   • NetworkAccessAlerts

6. Configure an appropriate destination for the logs.

7. Click Save.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v4.0.0 → 💼 7.1.1.9 Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination (Manual)			1		no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			60		no data