Configure Essential Eight MFA sign in logs

Maturity Level 1

Maturity level 1 doesn't require logging to be implemented. However, Microsoft Entra ID provides automatic logging of sign in and audit logs ranging from 7 to 30 days depending on the license. See How long does Microsoft Entra ID store reporting data?.

Microsoft recommendation: Enable exporting and long-term archival of audit and sign-in logs. See the next for details.

Maturity Levels 2 & 3

The out of the box Microsoft Entra configuration is sufficient to meet the event logging requirements for maturity levels 2 & 3. Microsoft recommends enabling exporting and long-term archival of audit and sign-in logs.

Follow this guide to enable archiving of Microsoft Entra logs:

• Tutorial - Archive directory logs to a storage account

In addition to enabling logging, maturity levels 2 & 3 require active monitoring and investigation of cyber security events identified in the logs.

Microsoft Entra Identity Protection capability allows organizations to automate the detection and remediation of identity based risks. ID Protection frees up security operations teams and provides them with a strong signal to noise ratio to investigate.

Follow these guides to enable Identity Protection conditional access policies:

• Sign-in risk-based Conditional Access - Microsoft Entra
• User risk-based Conditional Access - Microsoft Entra