FAQs

shlipsey3 · shlipsey3 · commit 807c74c5ad7c · 2023-07-26T15:09:31.000-07:00
diff --git a/articles/active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md b/articles/active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md
@@ -24,7 +24,7 @@ With these integrations, you can enable rich visualizations, monitoring, and ale
 The following logs can be integrated with one of many endpoints:
 
 * The [**audit logs activity report**](concept-audit-logs.md) gives you access to the history of every task that's performed in your tenant.
-* With the [**sign-in activity report**](concept-sign-ins.md), you can determine who performed the tasks that are reported in the audit logs.
+* With the [**sign-in activity report**](concept-sign-ins.md), you can see when users attempt to sign in to your applications or troubleshoot sign-in errors.
 * With the [**provisioning logs**](../app-provisioning/application-provisioning-log-analytics.md), you can monitor which users have been created, updated, and deleted in all your third-party applications. 
 * The [**risky users logs**](../identity-protection/howto-identity-protection-investigate-risk.md#risky-users) helps you monitor changes in user risk level and remediation activity. 
 * With the [**risk detections logs**](../identity-protection/howto-identity-protection-investigate-risk.md#risk-detections), you can monitor user's risk detections and analyze trends in risk activity detected in your organization. 
@@ -61,7 +61,7 @@ If you don't plan on using a third-party SIEM tool, we recommend sending your Az
 
 There's a cost for sending data to a Log Analytics workspace, archiving data in a storage account, or streaming logs to an event hub. The amount of data and the cost incurred can vary significantly depending on the tenant size, the number of policies in use, and even the time of day.
 
-Because the size and cost for sending logs to and endpoint is difficult to predict, the most accurate way to determine your expected costs is to route your logs to and endpoint for day or two. With this snapshot, you can get an accurate prediction for your expected costs.
+Because the size and cost for sending logs to an endpoint is difficult to predict, the most accurate way to determine your expected costs is to route your logs to an endpoint for day or two. With this snapshot, you can get an accurate prediction for your expected costs.
 
 Other considerations for sending Azure AD logs to Azure Monitor are covered in the following Azure Monitor cost details articles:
 
diff --git a/articles/active-directory/reports-monitoring/reports-faq.yml b/articles/active-directory/reports-monitoring/reports-faq.yml
@@ -44,10 +44,25 @@ sections:
   - name: Activity logs
     questions:
       - question: |
-          Do I need to be a Global Administrator to see the activity logs in the Azure portal or to get data through the API?
+          Do I need to be a Global Administrator to see the activity logs in the Azure portal?
         answer: |
-          No, the [least privilege role](../roles/delegate-by-task.md) to view audit and sign-in logs is **Reports Reader**. Other roles include **Security Reader** and **Security Administrator** for the tenant. You can also access the reporting data through the portal or through the API if you're a Global Administrator.
-         
+          No, the [least privilege role](../roles/delegate-by-task.md) to view audit and sign-in logs is **Reports Reader**. Other roles include **Security Reader** and **Security Administrator**.
+
+      - question: |
+          What logs can I integrate with Azure Monitor?
+        answer: |
+          Sign-in and audit logs are both available for routing through Azure Monitor. B2C-related audit events are currently not included. For more information, see [Azure AD activity log integrations](concept-activity-logs-azure-monitor.md) and the [Graph API activity log overview](/graph/api/resources/azure-ad-auditlog-overview)
+
+      - question: |
+          What SIEM tools are currently supported for integrating Azure AD activity logs?
+        answer: |
+          For a current list of the supported SIEM tools, see [Stream Azure monitoring data to an event hub for consumption by an external tool](../azure-monitor/essentials/stream-monitoring-data-event-hubs.md).
+
+      - question: |
+          Can I access the data from an event hub without using an external SIEM tool?
+        answer: |
+          Yes. To access the logs from your custom application, you can use the [Event Hubs API](../../event-hubs/event-hubs-dotnet-standard-getstarted-send.md).
+
       - question: |
           Can I get Microsoft 365 activity log information through the Azure portal?
         answer: |
@@ -67,6 +82,12 @@ sections:
           How long does Azure AD store activity logs? What is the data retention?
         answer: |
           Depending on your license, Azure AD stores activity logs for between 7 and 30 days. For more information, see [Azure Active Directory report retention policies](reference-reports-data-retention.md).  
+
+      - question: |
+          What happens if an Administrator changes the retention period of a diagnostic setting?
+        answer: |
+          The new retention policy will be applied to logs collected after the change. Logs collected before the policy change will be unaffected. The Diagnostic settings storage retention feature is being deprecated. For details on this change, see [**Migrate from diagnostic settings storage retention to Azure Storage lifecycle management**](../../azure-monitor/essentials/migrate-to-azure-storage-lifecycle-policy.md).
+
       - question: |
           How can I find out if a user purchased a license or enabled a trial license for my tenant? I don't see this activity in the audit logs.
         answer: |
