Audit Logs
Entra ID generates sign-in logs and directory audit logs that Mission Control scrapes as access logs. There are three approaches depending on your infrastructure and latency requirements.
Required Permissions
All approaches require:
- Entra ID P1 or P2 license — Hard requirement from Microsoft. Free-tier tenants do not generate sign-in logs at all.
These are in addition to the base permissions (User.Read.All, Group.Read.All, etc.) needed by the Entra ID scraper.
Approach Comparison
| HTTP + MS Graph | Logs Scraper | Event Hub | |
|---|---|---|---|
| Latency | Minutes (polling) | Minutes | Seconds |
| Setup | Low | Medium | High |
| Permissions | AuditLog.Read.All | Azure Diagnostic Settings | Azure Diagnostic Settings + Event Hub |
| Best For | Direct API access, simplest setup | Logs already forwarded to a backend | Real-time, high volume |
| Pagination | Manual ($top, $filter) | Handled by backend | N/A (streaming) |
| Infrastructure | None extra | Log backend (OpenSearch, Loki, etc.) | Event Hub + bridge consumer |
Latency and Retention
Log Availability Delay
Entra ID logs are not available immediately after the event occurs:
| Log Category | Typical Delay |
|---|---|
| Interactive sign-ins | 5 – 15 minutes |
| Non-interactive sign-ins | 15 – 30 minutes |
| Directory audit logs | 5 – 15 minutes |
Set your scraper schedule to at least @every 15m to avoid missing events due to delay.
Retention by License
| License Tier | Retention Period |
|---|---|
| Free / Office 365 | 7 days |
| Entra ID P1 / P2 | 30 days |
For longer retention, export logs via Azure Monitor Diagnostic Settings to a log backend and use the Logs scraper approach.