A number of log sources are available in Azure, that can be useful for
incident response purposes:
| Source | Description | History | Mechanism used |
|---|---|---|---|
Office 365 Unified Audit Logs |
All Office 365 logs (including Azure AD logs with a more limited level of information). Entries are stored in UTC+0. There can be a delay of around 30min for logs to be available in UAL and up to 24 hours for AAD logs (and Power Automate, Power Apps, and Yammer logs). As of October 2021, Audit Logs are by default turned on for newly created tenants. |
180 days since October 17, 2023, 90 days before (by default). 1 year for users assigned a E5 license. |
Exchange online PowerShell |
Mailbox Audit Log |
Logs certain actions performed on mailboxes by mailbox owners, delegates, and admins. For instance, log entries can be generated upon mail data access, email deletion or sending, etc. As of January 2019, mailbox audit logs should be turned on by default for newly created tenants. As stated in the Microsoft documentation, the mailbox audit logs are reliably sent to the Office 365 Unified Audit Logs only for users with E5/A5/G5 licenses or mailboxes with mailbox audit logs explicitly enabled (even if mailbox audit logs is implicitly enabled by default for every mailboxes). Events for users with non E5 licenses or mailbox audit logs not explicitly enabled should generally be sent to the Office 365 Unified Audit Logs but may not depending on performance reason. A predefined set of mailbox actions are audited by default for each logon type ( Admin, Delegate, and Owner). The list of actions logged by default can be found in the official Exchange documentation. Note that while mailbox auditing cannot be disabled for a specific mailbox if mailbox auditing is enabled tenant-wide, mailbox audit logging can still be bypassed by defined users. In such circumstances, mailbox Owner actions as well as Delegate (i.e on other users’ mailboxes) and Admin actions performed by the bypassed users aren’t logged. Mailbox logon types: - Owner: access by the mailbox owner. - Delegate: access by another user being granted SendAs, SendOnBehalf, or FullAccess (access to everything but not the right to send mails) permission to the mailbox. - Admin: mailbox is searched with a Microsoft eDiscovery tool or with the Microsoft Exchange Server MAPI Editor. MailItemsAccessed mail access events will only be available with a E5 license. Unofficially, a single E5 license in the tenant is sufficient to generate the events for all users, even retroactively populating events for the retention period. |
90 days | Exchange Online PowerShell |
Azure AD sign-ins logs |
Logs Azure AD sign-ins and resources usage. Entries are stored in UTC+0. |
7 days by default. 30 days for Microsoft Entra ID P1 / P2. |
MS Graph API |
Azure AD audit logs |
Logs changes applied to the Azure AD tenant, such as users or group management and updates. Entries are stored in UTC+0. |
7 days by default. 30 days for Microsoft Entra ID P1 / P2. |
MS Graph API |
Azure Activity logs |
Logs activity in an Azure subscription, such as resource modification, virtual machine creation and start, etc. | 30 days | Azure Monitor RESTAPI |
Azure DevOps Activity logs |
Logs operations in the Azure DevOps organization(s), such as operations on resources, permissions changes, etc. | 90 days | Azure DevOps services RESTAPI |
View on GitHub