| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.component | ms.date | ms.author | ms.reviewer |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Troubleshoot Missing data in the Azure Active Directory activity logs | Microsoft Docs |
Provides you with a resolution to missing data in Azure Active Directory activity logs. |
active-directory |
priyamohanram |
mtillman |
7cbe4337-bb77-4ee0-b254-3e368be06db7 |
active-directory |
na |
get-started-article |
na |
identity |
report-monitor |
01/15/2018 |
priyamo |
dhanyahk |
I performed some actions in the Azure portal and expected to see the audit logs for those actions in the Activity logs > Audit Logs blade, but I can’t find them.
Actions don’t appear immediately in the activity logs. The table below enumerates our latency numbers for activity logs.
| Report | Latency (P95) | Latency (P99) | |
|---|---|---|---|
| Directory audit | 2 mins | 5 mins | |
| Sign-in activity | 2 mins | 5 mins |
Wait for 15 minutes to two hours and see if the actions appear in the log. If you don’t see the logs even after two hours, please file a support ticket and we will look into it.
I recently signed into the Azure portal and expected to see the sign-in logs for those actions in the Activity logs > Sign-ins blade, but I can’t find them.
Actions don’t appear immediately in the activity logs. The table below enumerates our latency numbers for activity logs.
| Report | Latency (P95) | Latency (P99) | |
|---|---|---|---|
| Directory audit | 2 mins | 5 mins | |
| Sign-in activity | 2 mins | 5 mins |
Wait for 15 minutes to two hours and see if the actions appear in the log. If you don’t see the logs even after two hours, please file a support ticket and we will look into it.
I can't view more than 30 days of sign-in and audit data from the Azure portal. Why?
Depending on your license, Azure Active Directory Actions stores activity reports for the following durations:
| Report | Azure AD Free | Azure AD Premium P1 | Azure AD Premium P2 | |
|---|---|---|---|---|
| Directory Audit | 7 days | 30 days | 30 days | |
| Sign-in Activity | Not available. You can access your own sign-ins for 7 days from the individual user profile blade | 30 days | 30 days |
For more information, see Azure Active Directory report retention policies.
You have two options to retain the data for longer than 30 days. You can use the Azure AD Reporting APIs to retrieve the data programmatically and store it in a database. Alternatively, you can integrate audit logs into a third party SIEM system like Splunk or SumoLogic.