1

I know that managing identity securely, providing least needed access etc are important but another critical best practice is having audit logs which cannot be modified, deleted or disabled even by highly privileged users.

How to ensure this in Microsoft Azure? I know Activity Log is there but couldn't find what is the retention period or whether it's protected from deletion. The docs recommend creating diagnostic setting to send it either to Log Analytics or Storage Account but these can be disabled/deleted by highly privileged accounts

Roman Plášil
  • 111
  • 1

1 Answers1

1

Activity logs are deleted after 90 days. If you wish to preserve them you will want to look at exporting them. You can do this to Log Analytics - https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect-tenants or to storage using diagnostic settings - https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings

Sam Cogan
  • 38,736
  • 6
  • 78
  • 114