When you stream Azure AD logs to an Azure Log Analytics workspace, you might just do it to get an alert to notify when an additional person is assigned the Azure AD Global Administrator role or when an Azure AD emergency access account is used. For these purposes, the default retention period for an Azure Log Analytics workspace suffices. However, you might want to change the retention period for the Azure Log Analytics workspace, when you want to perform analytics on a larger timeframe, when you want to limit your spend or when you want to adhere to privacy regulations.

In this blogpost, I’ll show you how to set the retention period for the Azure Log Analytics Workspace where you stream Azure AD logs to.

Assumptions

For the purpose of this blogpost, I’ll make the following assumptions:

• You have an Azure Log Analytics workspace.
• You know the Azure Log Analytics billing structure, and how spend is probably not an issue when your organization counts 300 persons or less.
• Your Azure Log Analytics workspace is configured with the default 30-day retention period.

How to configure the Retention Period

Perform these actions to set the Retention Period for the Azure Log Analytics workspace:

• Sign into the Azure Portal with an account that has Global administrator privileges and is assigned an Azure AD Premium license.
• In the Azure portal, click All services. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input. Select Log Analytics workspaces from the list.
• Select the Azure Log Analytics workspace you want to set the Retention Period for.
  The Log Analytics workspace pane opens.
• In the menu on the left of the pane, choose Usage and estimated costs.
• At the top of the main pane, click Data Retention.
  The Data Retention blade opens.
• Select an appropriate retention period using the slider, up to 730 days (2 years).
• Click OK.
  The Data Retention blade closes.
• Sign out of the Azure Portal and/or close the browser.

Concluding

Using Azure Log Analytics with optimal settings helps organization to gain visibility, reduce cost, ensure privacy and meet regulatory compliance. Data retention is a key setting. Set it wisely.

Further reading

Calculating your Azure Log Analytics bill when you stream your Azure AD logs to it
TODO: Stream additional logs from Azure AD for optimal visibility
Getting to know the devices that people in your organization use App Passwords on
HOWTO: Set an alert to notify when an additional person is assigned the Azure AD Global Administrator role
HOWTO: Set an alert to notify when an Azure AD emergency access account is used
Getting Started with Azure Monitor Workbooks for Azure Active Directory