Microsoft Entra ID stores reports and security signals for a defined period of time. When it comes to risk information, that period might not be long enough.
Report / Signal
Microsoft Entra ID Free
Microsoft Entra ID P1
Microsoft Entra ID P2
Audit logs
7 days
30 days
30 days
Sign-ins
7 days
30 days
30 days
Microsoft Entra multifactor authentication usage
30 days
30 days
30 days
Risky sign-ins
7 days
30 days
30 days
This article describes the available methods for exporting risk data from Microsoft Entra ID Protection for long-term storage and analysis.
Prerequisites
To export risk data for storage and analysis, you need:
An Azure subscription to create a Log Analytics workspace, Azure event hub, or Azure storage account. If you don't have an Azure subscription, you can sign up for a free trial.
Security Administrator access to create general diagnostic settings for the Microsoft Entra tenant.
Diagnostic settings
Organizations can choose to store or export RiskyUsers, UserRiskEvents, RiskyServicePrincipals, and ServicePrincipalRiskEvents data by configuring diagnostic settings in Microsoft Entra ID to export the data. You can integrate the data with a Log Analytics workspace, archive data to a storage account, stream data to an event hub, or send data to a partner solution.
The endpoint you select for exporting the logs must be set up before you can configure diagnostic settings. For a quick summary of the methods available for log storage and analysis, see How to access activity logs in Microsoft Entra ID.
Integrating risk data with Log Analytics provides robust data analysis and visualization capabilities. The high-level process for using Log Analytics to analyze risk data is as follows:
You need to configure a Log Analytics workspace before you can export and then query the data. Once you configured a Log Analytics workspace and exported the data with diagnostic settings, go to Microsoft Entra admin center > Identity > Monitoring & health > Log Analytics. Then, with Log Analytics, you can query data using built-in or custom Kusto queries.
The following tables are of most interest to Microsoft Entra ID Protection administrators:
RiskyUsers - Provides data like the Risky users report.
UserRiskEvents - Provides data like the Risk detections report.
RiskyServicePrincipals - Provides data like the Risky workload identities report.
ServicePrincipalRiskEvents - Provides data like the Workload identity detections report.
Note
Log Analytics only has visibility into data as it is streamed. Events prior to enabling the sending of events from Microsoft Entra ID do not appear.
Sample queries
In the previous image, the following query was run to show the most recent five risk detections triggered.
AADUserRiskEvents
| take 5
Another option is to query the AADRiskyUsers table to see all risky users.
AADRiskyUsers
View the count of high risk users by day:
AADUserRiskEvents
| where TimeGenerated > ago(30d)
| where RiskLevel has "high"
| summarize count() by bin (TimeGenerated, 1d)
View helpful investigation details, such as user agent string, for detections that are high risk and aren't remediated or dismissed:
AADUserRiskEvents
| where RiskLevel has "high"
| where RiskState has "atRisk"
| mv-expand ParsedFields = parse_json(AdditionalInfo)
| where ParsedFields has "userAgent"
| extend UserAgent = ParsedFields.Value
| project TimeGenerated, UserDisplayName, Activity, RiskLevel, RiskState, RiskEventType, UserAgent,RequestId