Domain 4 of 4 · Chapter 4 of 4

Identity Monitoring

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Identity and Access Administrator Associate premium course — no separate purchase.

Included in this chapter:

  • The three Entra activity logs and what each answers
  • Default retention and why you export logs
  • Diagnostic settings: the export pipeline and its destinations
  • Querying Entra logs with KQL in Log Analytics
  • Workbooks, reporting, and Identity Secure Score

Diagnostic destination by purpose

PropertyLog Analytics workspaceAzure Storage accountAzure event hub
Primary purposeAnalyze and alertLong-term archiveStream to external SIEM
Query with KQLYes (Kusto)No (raw blobs)No (consumer reads stream)
Workbooks and log alertsYesNoNo
RetentionConfigurable per tableIndefinite, supports immutabilityShort buffer, consumer persists
Relative costHigher (ingestion + query)Lowest per GBPer throughput unit
Typical useKQL hunting, dashboards, alertsCompliance, audit retentionSplunk/QRadar/Sentinel ingest

Decision tree

Query with KQL,workbooks, or alerts?Log Analytics workspaceonly KQL-queryable targetYesStream to anon-Microsoft SIEM?NoAzure event hubSplunk / QRadar ingestYesCheap archive pastthe 30-day window?NoAzure Storage accountstandard only, immutableYesRead in-portal7-day Free / 30-day P1-P2No

Cheat sheet

  • Match the log to the verb: change, sign-in, or provision
  • Sign-in logs split into four sign-in types
  • Provisioning logs show per-object created, skipped, or failed
  • Default log retention is 7 days Free, 30 days P1 and P2
  • Risky sign-ins retention is the field that stretches to 90 days on P2
  • Retention changes are not retroactive
  • Long-term retention and KQL both require routing to Log Analytics or storage
  • A diagnostic setting routes log categories to an external destination
  • Choose Log Analytics when you need to analyze or alert
  • Choose a storage account for cheap, indefinite archive
  • Choose an event hub to stream to a non-Microsoft SIEM
  • Each Entra resource allows at most five diagnostic settings
  • Entra logs become KQL tables named for their category
  • Filter sign-in success on ResultType where 0 is success
  • A log-search alert is a scheduled KQL query plus an action group
  • Workbooks need logs already routed to Log Analytics
  • Identity Secure Score is a posture percentage refreshed every 24 hours
  • Secure Score actions are scored binary or proportionally
  • Reading Identity Secure Score needs at least Global Reader
  • Secure Score measures adoption, not breach probability
  • Entra audit logs are separate from the Microsoft 365 unified audit log
  • A diagnostic setting's destination must already exist before you create the setting

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/overview-monitoring-health
  2. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs
  3. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins
  4. https://learn.microsoft.com/en-us/entra/identity/app-provisioning/concept-provisioning-logs
  5. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-reports-data-retention
  6. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-diagnostic-settings-logs-options
  7. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-analyze-activity-logs-log-analytics
  8. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-use-workbooks
  9. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score