Understanding the data processing, storage, and retention policies of Microsoft's Azure Active Directory (Azure AD) is critical to maintaining business continuity.

Azure AD serves a single source of truth that affects regulatory compliance, data security, cost management, and user privacy. As the single point of entry to a plethora of Microsoft services and applications, it helps make sure organizations stay within legal boundaries, fortifies data protection, optimizes resource usage, and respects user data rights.

In this guide to Azure AD data retention, let's explore the different ways that data is collected, stored, processed, and retained across the active directory platform. We'll talk about the types of data retained, different retention periods across services, and ways to configure and customize data retention in Azure AD. Let's begin.

This article covers:

• Types of Data Retained in Azure AD, now Entra
• Azure Active Directory Data Retention Periods
• How to Configure the Azure AD Retention Policy
• Automate Azure AD Data Retention with CoreView

Types of Data Retained in Azure AD, now Entra

Azure Active Directory (Azure AD) retains several types of data, each serving a specific purpose and playing a crucial role in the overall functioning and security of the system. These include:

Sign-in Data

This refers to the data generated when a user signs into an application using Azure AD. It includes information such as the user's ID, the application they signed into, the time of sign-in, the IP address from which the sign-in originated, and whether the sign-in was successful or not. This data is crucial for monitoring user activity, identifying potential security threats (like repeated failed sign-in attempts which could indicate a brute force attack), and troubleshooting issues related to user access.

Example:

• User ID: The unique identifier for the user who signed in.
• Application: The name or ID of the application that the user signed into.
• Timestamp: The date and time of the sign-in event.
• IP Address: The IP address from where the sign-in originated.
• Sign-in Status: Whether the sign-in was successful or not.
• Device Information: Details about the device used for sign-in, such as device ID, operating system, and browser.
• Location: The geographical location from where the sign-in originated.

Audit Data

This is a record of system activity within Azure AD. It includes changes made in the Azure AD service, such as adding or removing users, changing user roles, modifying application settings, etc. Audit data is essential for tracking changes, maintaining compliance, and investigating incidents. For instance, if a user is granted elevated privileges and this leads to a security incident, the audit logs can help identify when and how the change in privileges occurred.

Example:

• Operation Type: The type of operation performed, such as user creation, role assignment, or password reset.
• Operation Date/Time: When the operation was performed.
• Target: The object on which the operation was performed, such as a user or a group.
• Actor: The user or system process that performed the operation.
• Status: Whether the operation was successful or not.

Operational Data

This includes data about the operation and performance of Azure AD itself, such as service usage statistics, performance metrics, and error logs. Operational data helps in monitoring the health and performance of Azure AD, identifying potential issues, and optimizing the service for better performance and reliability.

Example:

• Service Usage: Metrics related to how much the service is being used, such as the number of active users or sign-in frequency.
• Performance Metrics: Data related to the performance of the service, such as response times or availability.
• Error Logs: Records of any errors or issues that occurred within the service.

Azure Active Directory Data Retention Periods

Azure Active Directory (Azure AD) has default retention periods for different types of data:

1. Sign-in Data: By default, Azure AD retains sign-in data for 30 days.
2. Audit Data: Audit data is also retained for 30 days by default.
3. Operational Data: Operational data is retained for a shorter period, typically 7 days.

These default retention periods are designed to balance the need for historical data with the practical considerations of data storage. However, in many cases, organizations may need to retain data for longer periods, either for compliance reasons or for more in-depth analysis and reporting.

To accommodate these needs, Microsoft offers the ability to extend the retention periods for sign-in and audit data with an Azure AD Premium P1 or P2 license. With these licenses, organizations can retain sign-in and audit data for up to 365 days. This extended retention period applies to all data in the tenant and cannot be set for individual users or groups.

It's important to note that extending the retention period may increase the costs associated with Azure AD, as pricing is often based on the volume of data stored and the length of time it's retained. Therefore, organizations should consider their specific needs and regulatory requirements when deciding on the appropriate retention period.

How to Configure the Azure AD Retention Policy

Azure AD uses Azure Monitor Logs to help manage data retention and archiving policies. With Azure Monitor Logs, each workspace has a default retention policy applied to all tables, but individual tables can have their own different policy. This allows for maximum flexibility in data retention and archiving. Let's take a look at a step-by-step guide to configuring data retention and archiving policies in Azure AD using Azure Monitor Logs.

• Access your Azure Monitor Logs workspace in the Azure Portal.
• Under Services, select the tables you'd like to configure the retention and archiving policy for. Each table includes a default retention and archiving policy, which can be adjusted using the default policy toggle.
• With the default policy toggle, you can choose between the workspace's default policy and a custom policy for the specified table. If you'd like to use the workspace default policy, you can leave the policy toggle on the default setting.
• To create a custom policy, click on the toggle to activate the custom policy and adjust the retention period. For archiving, select the radio buttons to archive either a daily or a weekly log or select None if you don't want to create an archive.
• Once you've configured the retention policy and archiving settings, click Save to apply the selected policy.

With the custom policy applied, all data collected will be available for monitoring, troubleshooting, and analytics during the interactive retention period. This data will also be archived for compliance or occasional investigation. It's important to note that archiving is not the same as backing up. Once the data is archived, it's immutable, meaning that it can't be modified or changed later.

Automate Azure AD Data Retention with CoreView

CoreView Configuration Manager is a dynamic tool that provides automated Microsoft Office 365 configurations, including automated data retention for Azure Active Directory (Azure AD). It simplifies the management of data retention policies, thereby ensuring compliance and consistency across multiple tenants.

One of the key features of Configuration Manager is its capability to back up and restore a wide variety of Azure AD configuration settings. This includes app registrations, company branding, and custom settings. With CoreView Configuration Manager, IT teams can benefit from comprehensive backups of various Azure AD components.

CoreView ensures that each time a team member makes changes to your Azure AD tenant, a backup of all your Azure AD settings and policies is stored automatically. It also generates a detailed log each time it does this, for compliance. Additionally, CoreView provides scheduled automated backups at regular intervals. This feature eliminates the need for manual periodic backups, allowing system administrators to focus on more critical tasks.

CoreView Configuration Manager is the only premium no-code solution that automates regular backup, compliance monitoring, and multi-tenant management for not just Azure AD, but a host of other applications and services in Microsoft 365. Want to learn more about how CoreView can help your IT team simplify Azure AD data management? Sign up for a free demo, today!