Merge pull request #221496 from MicrosoftDocs/main

12/14 AM Publish

Author: huypub

.openpublishing.redirection.json

@@ -1,5 +1,10 @@
 {
     "redirections": [
+        {
+            "source_path_from_root": "/articles/backup/backup-create-rs-vault.md",
+            "redirect_url": "/azure/backup/backup-create-recovery-services-vault",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/storage/queues/storage-quickstart-queues-dotnet-legacy.md",
             "redirect_url": "/azure/storage/queues/storage-quickstart-queues-dotnet",

articles/active-directory/reports-monitoring/howto-download-logs.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.topic: how-to
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 10/31/2022
+ms.date: 12/14/2022
 ms.author: sarahlipsey
 ms.reviewer: besiler 
 
@@ -20,75 +20,56 @@ ms.collection: M365-identity-device-management
 
 The Azure Active Directory (Azure AD) portal gives you access to three types of activity logs:
 
-- **[Sign-ins](concept-sign-ins.md)** – Information about sign-ins and how your resources are used by your users.
-- **[Audit](concept-audit-logs.md)** – Information about changes applied to your tenant such as users and group management or updates applied to your tenant’s resources.
-- **[Provisioning](concept-provisioning-logs.md)** – Activities performed by the provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.
+- **[Sign-ins](concept-sign-ins.md)**: Information about sign-ins and how your resources are used by your users.
+- **[Audit](concept-audit-logs.md)**: Information about changes applied to your tenant such as users and group management or updates applied to your tenant’s resources.
+- **[Provisioning](concept-provisioning-logs.md)**: Activities performed by a provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.
 
-Azure AD stores the data in these logs for a limited amount of time. As an IT administrator, you can download your activity logs to have a long-term backup.
+Azure AD stores the data in these logs for a limited amount of time. As an IT administrator, you can download your activity logs to have a long-term backup. This article explains how to download activity logs in Azure AD. 
 
-This article explains how to download activity logs in Azure AD.  
+## Prerequisites 
 
-## What you should know
+The option to download the data of an activity log is available in all editions of Azure AD. You can also download activity logs using Microsoft Graph; however, downloading logs programmatically requires a premium license.
 
-- In the Azure AD portal, you can find several entry points to the activity logs. For example, the **Activity** section on the [Users](https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/MsGraphUsers) or [groups](https://portal.azure.com/#blade/Microsoft_AAD_IAM/GroupsManagementMenuBlade/AllGroups) page. However, there is only one location that provides you with an initially unfiltered view of the logs: the **Monitoring** section on the [Azure AD](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) page.    
-
-- Azure AD stores activity logs only for a specific period. For more information, see [How long does Azure AD store reporting data?](reference-reports-data-retention.md) 
+The following roles provide read access to audit logs. Always use the least privileged role, according to Microsoft [Zero Trust guidance](/security/zero-trust/zero-trust-overview).
+- Reports Reader
+- Security Reader
+- Security Administrator
+- Global Reader (sign-in logs only)
+- Global Administrator
 
-- By downloading the logs, you can control for how long logs are stored. 
+## Log download details
 
-- Your download is based on the filter you have set. 
+Azure AD stores activity logs for a specific period. For more information, see [How long does Azure AD store reporting data?](reference-reports-data-retention.md) By downloading the logs, you can control how long logs are stored. 
 
 - Azure AD supports the following formats for your download:
-
     - **CSV** 
-
     - **JSON** 
+- Timestamps in the downloaded files are based on UTC.
+- For large data sets (> 250,000 records), you should use the [reporting API](/graph/api/resources/azure-ad-auditlog-overview?view=graph-rest-1.0) to download the data.
 
-- The timestamps in the downloaded files are always based on UTC.
-
-- For large data sets (> 250 000 records), you should use the reporting API to download the data.
-
-
-## What license do you need?
-
-The option to download the data of an activity log is available in all editions of Azure AD.
-
-You can also download activity logs using Microsoft Graph; however, downloading logs grammatically requires a premium incense.
-
-
-## Who can do it?
-
-While the global administrator works, you should use an account with lower privileges to perform this task. To access the audit logs, the following roles work:
-
-- Reports Reader
-- Global Reader
-- Security Administrator
-- Security Reader
-
-
-## How to do it
-
-
-**To download an activity log:**
+## How to download activity logs
 
-1. Navigate to the activity log view you care about:
- 
-    - [The sign-ins log](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/SignIns)
-    
-    - [The audit log](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/SignIns)    
-       
-    - [The provisioning log](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/ProvisioningEvents)    
-   
+You can access the activity logs from the **Monitoring** section of Azure AD or from the **Users** page of Azure AD. If you view the audit logs from the **Users** page, the filter category will be set to **UserManagement**. Similarly, if you view the audit logs from the **Groups** page, the filter category will be set to **GroupManagement**. Regardless of how you access the activity logs, your download is based on the filter you've set. 
 
-2.  **Add** the required filter.  
+1. Navigate to the activity log you need to download.
+1. Adjust the filter for your needs.  
+1. Select **Download**.
+    - For audit and sign-in logs, a window appears where you'll select the download format (CSV or JSON).
+    - For provisioning logs, you'll select the download format (CSV of JSON) from the Download button.
+    - You can change the File Name of the download.
+    - Select the **Download** button.
+1. The download processes and sends the file to your default download location. 
 
-    ![Add filter](./media/\howto-download-logs/add-filter.png)    
+The following screenshot shows the download window from the audit and sign-in log download process. 
+    ![Screenshot of the audit log download process.](./media/howto-download-logs/audit-log-download.png)
 
-3. **Download** the data.
+The following screenshot shows menu options for the provisioning log download process.
+    ![Screenshot of the provisioning log download button options.](./media/howto-download-logs/provisioning-logs-download.png)
 
-    ![Download log](./media/\howto-download-logs/download-log.png)
+If your tenant has enabled the [sign-in logs preview](concept-all-sign-ins.md), more options are available after selecting **Download**. The sign-in logs preview include interactive and non-interactive user sign-ins, service principal sign-ins, and managed identity sign-ins.
+    ![Screenshot of the download options for the sign-in logs preview.](media/howto-download-logs/sign-in-preview-download-options.png)
 
 ## Next steps
 
-- [Sign-ins logs in Azure AD](concept-sign-ins.md)
-- [Audit logs in Azure AD](concept-audit-logs.md)
+- [Integrate Azure AD logs with Azure Monitor](howto-integrate-activity-logs-with-log-analytics.md)
+- [Access Azure AD logs using the Graph API](quickstart-access-log-with-graph-api.md)