Often times I think the idea is not to confuse, but when you sort of pile on all the different services in Azure, some of the details get muddy and quickly. One of the areas that I even have hard times remembering is log types and their corresponding retention in Azure. Rather than get myself all confused over and over again (or misremembering the links to use as a reference), I thought I'd create a blog post as a future reference. Hopefully it helps you, because it for sure will help me!

Let's be real: Logs in Azure are everywhere. They show you who did what, when it happened, and whether it worked the way you expected. They are your breadcrumb trail for troubleshooting, compliance, and security. They can also be a FinOps nightmare if you let them stack up without a plan.

The challenge is that not all logs are the same. Azure has different categories of logs, and each one comes with its own defaults, retention knobs, and costs. Let’s walk through them one by one, highlight the retention rules, and point you to the right Microsoft docs so you know exactly where this information lives.

Activity Logs

The Azure Activity Log tracks control-plane operations like creating, updating, or deleting resources.

• Default retention: 90 days, free.

• Extended retention: Export to a Log Analytics workspace, Event Hubs, or Storage for longer. Once exported, retention follows the target service.

• Docs: Activity Log retention

  
  

Resource Logs (Diagnostic Logs)

Resource Logs capture what happens inside a resource. These are the data-plane logs, like Key Vault access, Storage requests, or SQL queries.

• Default retention: None until you enable them.

• Extended retention: Once enabled, you can route them to Log Analytics, Storage, or Event Hubs. Retention is managed at the destination.

• Docs: Configure resource log retention

  
  

Log Analytics (Azure Monitor Logs)

Log Analytics is the central store for monitoring data. Activity Logs, Resource Logs, and telemetry often end up here.

• Default retention: 30 days for most tables, 90 days for some like AzureActivity and Usage.

• Extended retention: Analytics data can be kept up to 730 days (2 years). Archive retention can stretch to 12 years through the portal/API (7 years with CLI/PowerShell).

• Safety net: Reducing retention gives you a 30-day buffer before data is deleted.

• Docs: Configure retention in Log Analytics

Metrics

Metrics are not technically logs, but they are part of the same monitoring conversation. Azure Metrics capture performance counters like CPU usage, request latency, or throughput.

• Default retention: 93 days.

• Extended retention: Export to Log Analytics or Storage if you need to keep them longer.

• Docs: Metrics retention

  
  

Entra ID (Azure Active Directory) Logs

Entra ID (formerly Azure AD) produces multiple logs:

• Sign-in logs show authentication attempts.

• Audit logs track directory changes.

• Provisioning logs record provisioning to applications and services.

Retention is tied to licensing:

• Free: 7 days.

• Premium P1/P2: 30 days.

• Longer retention requires export to Log Analytics, Event Hubs, or Storage.

• Docs: Entra log retention

Application Insights

Application Insights tracks application performance and telemetry, like requests, exceptions, and dependencies.

• Default retention: 90 days.

• Extended retention: Up to 730 days (2 years).

• Beyond 2 years: Export data to Log Analytics, Storage, or Event Hubs. Continuous export is retired, so use Diagnostic settings.

• Docs: Application Insights retention

Microsoft Purview Audit Logs

Microsoft Purview Audit provides unified audit logs for Microsoft 365 workloads, including Exchange, SharePoint, OneDrive, Teams, and Entra.

• Default retention: 180 days for Standard (logs generated after Oct 17, 2023).

• E5 licensing: Up to 1 year.

• Audit (Premium): Up to 10 years through retention policies.

• Docs: Audit log retention policies

Network Security Logs

Azure networking components generate their own logs:

• NSG Flow Logs: Retention depends on the storage destination.

• Azure Firewall logs: Retention depends on whether you send logs to Log Analytics, Event Hubs, or Storage.

• Application Gateway logs: Retention is also tied to diagnostic settings.

Key Vault Logs

Azure Key Vault monitoring provides audit data for access and operations.

• Default retention: None until you enable diagnostic settings.

• Extended retention: Once enabled, logs can be sent to Log Analytics, Storage, or Event Hubs, and retention depends on those targets.

Storage Account Logs

Azure Storage logging has evolved.

• Legacy Storage Analytics logs provided metrics and request logging, but are being phased out.

• Today, you use Azure Monitor diagnostic settings for Storage Accounts. Retention is based on where you send the data (Log Analytics, Event Hubs, Storage).

Cost and Archive Considerations

Retention always has a price tag. Keeping everything forever is rarely a good idea.

For example:

• 5 GB of logs per day equals 1.8 TB per year.

• At $0.10 per GB in East US, that is about $1,000 annually.

By trimming retention to 30 days for non-critical logs, you could save hundreds to thousands.

Archived Log Analytics data is cheaper but not queryable. You need to use search jobs or restores, which can be unreliable, as shared on Reddit and Stack Overflow. Always test archive retrieval before you need to rely on it.

TL;DR — Retention Cheat Sheet

Wrap Up

Azure logging is not just one thing. You are working with Activity Logs, Resource Logs, Log Analytics, Metrics, Entra ID, Application Insights, Purview Audit, and service-specific logs like NSG, Firewall, Key Vault, and Storage. Each one has its own defaults and retention settings hidden away in the docs.

The trick is to know what you actually need, configure retention with intention, test archive retrieval, and avoid paying to keep data you will never use.

That is the demystification, which is a whole level of effort to begin with! Hopefully it helped you! Guess what's immediately going into my bookmarks? ;)