How To: Export risk data
Microsoft Entra ID stores reports and security signals for a defined period of time. When it comes to risk information, that period might not be long enough.
Report / Signal | Microsoft Entra ID Free | Microsoft Entra ID P1 | Microsoft Entra ID P2 |
---|---|---|---|
Audit logs | 7 days | 30 days | 30 days |
Sign-ins | 7 days | 30 days | 30 days |
Microsoft Entra multifactor authentication usage | 30 days | 30 days | 30 days |
Risky sign-ins | 7 days | 30 days | 30 days |
This article describes the available methods for exporting risk data from Microsoft Entra ID Protection for long-term storage and analysis.
To export risk data for storage and analysis, you need:
- An Azure subscription to create a Log Analytics workspace, Azure event hub, or Azure storage account. If you don't have an Azure subscription, you can sign up for a free trial.
- Security Administrator access to create general diagnostic settings for the Microsoft Entra tenant.
Organizations can choose to store or export RiskyUsers, UserRiskEvents, RiskyServicePrincipals, and ServicePrincipalRiskEvents data by configuring diagnostic settings in Microsoft Entra ID to export the data. You can integrate the data with a Log Analytics workspace, archive data to a storage account, stream data to an event hub, or send data to a partner solution.
The endpoint you select for exporting the logs must be set up before you can configure diagnostic settings. For a quick summary of the methods available for log storage and analysis, see How to access activity logs in Microsoft Entra ID.
Sign in to the Microsoft Entra admin center as at least a Security Administrator.
Browse to Identity > Monitoring & health > Diagnostic settings.
Select + Add diagnostic setting.
Enter a Diagnostic setting name, select the log categories that you want to stream, select a previously configured destination, and select Save.
You might need to wait around 15 minutes for the data to start appearing in the destination you selected. For more information, see How to configure Microsoft Entra diagnostic settings.
Integrating risk data with Log Analytics provides robust data analysis and visualization capabilities. The high-level process for using Log Analytics to analyze risk data is as follows:
- Create a Log Analytics workspace.
- Configure Microsoft Entra diagnostic settings to export the data.
- Query the data in Log Analytics.
You need to configure a Log Analytics workspace before you can export and then query the data. Once you configured a Log Analytics workspace and exported the data with diagnostic settings, go to Microsoft Entra admin center > Identity > Monitoring & health > Log Analytics. Then, with Log Analytics, you can query data using built-in or custom Kusto queries.
The following tables are of most interest to Microsoft Entra ID Protection administrators:
- RiskyUsers - Provides data like the Risky users report.
- UserRiskEvents - Provides data like the Risk detections report.
- RiskyServicePrincipals - Provides data like the Risky workload identities report.
- ServicePrincipalRiskEvents - Provides data like the Workload identity detections report.
Note
Log Analytics only has visibility into data as it is streamed. Events prior to enabling the sending of events from Microsoft Entra ID do not appear.
In the previous image, the following query was run to show the most recent five risk detections triggered.
AADUserRiskEvents
| take 5
Another option is to query the AADRiskyUsers table to see all risky users.
AADRiskyUsers
View the count of high risk users by day:
AADUserRiskEvents
| where TimeGenerated > ago(30d)
| where RiskLevel has "high"
| summarize count() by bin (TimeGenerated, 1d)
View helpful investigation details, such as user agent string, for detections that are high risk and aren't remediated or dismissed:
AADUserRiskEvents
| where RiskLevel has "high"
| where RiskState has "atRisk"
| mv-expand ParsedFields = parse_json(AdditionalInfo)
| where ParsedFields has "userAgent"
| extend UserAgent = ParsedFields.Value
| project TimeGenerated, UserDisplayName, Activity, RiskLevel, RiskState, RiskEventType, UserAgent,RequestId
Access more queries and visual insights based on AADUserRiskEvents and AADRisky Users logs in the Impact analysis of risk-based access policies workbook.
By routing logs to an Azure storage account, you can keep data for longer than the default retention period.
Azure Event Hubs can look at incoming data from sources like Microsoft Entra ID Protection and provide real-time analysis and correlation.
Organizations can choose to connect Microsoft Entra data to Microsoft Sentinel for security information and event management (SIEM) and security orchestration, automation, and response (SOAR).