C) confirmed 90 Days
Ref Link: https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk#how-to-investigate-risky-users
This table reflects the latest information on retention periods for Microsoft Entra Free, P1, and P2 as of February 26, 2025. I just had to mark the answer, but as I said...there is no limit for risky users. "Risky users and workload identities are not deleted until the risk has been remediated."
-------------------------------------------------
| Feature | Microsoft Entra Free | P1 | P2 |
-------------------------------------------------
| Audit Logs | 7 days | 30 days | 30 days |
-------------------------------------------------
| Sign-ins | 7 days | 30 days | 30 days |
-------------------------------------------------
| Multifactor Authentication Usage | 30 days | 30 days | 30 days |
-------------------------------------------------
| Risky Users | No limit | No limit| No limit|
-------------------------------------------------
| Risky Sign-ins | 7 days | 30 days | 90 days |
-------------------------------------------------
Why 90 days is the better answer in this context:
The question specifically asks about "risky user activity," implying the use of Identity Protection features.
Identity Protection, with its detailed risk assessments and reporting, is a core component of Premium P2.
Premium P2 has a 90-day retention for risky sign-ins.
sorry, if i understand the question, it is asking for Risky user logs and this URL says 'https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-reports-data-retention' that risky users there is 'No Limit'. am i not correctly understanding this?
The question is not well done, but considering the maximum time is 90 days (Entra P2) I will select the option C
> Microsoft Entra ID Free : 7 days
> Microsoft Entra ID P1: 30 days
> Microsoft Entra ID P2: 90 days
This retention period allows you to monitor and analyze risky user activity over a significant period to ensure security and compliance
More information:
Audit logs
> Microsoft Entra ID Free: Seven days
> Microsoft Entra ID P1: Seven days
> Microsoft Entra ID P2: 30 days
Sign-ins
> Microsoft Entra ID Free: 30 days
> Microsoft Entra ID P1: 30 days
> Microsoft Entra ID P2: 30 days
Microsoft Entra multifactor authentication usage
> Microsoft Entra ID Free: 30 days
> Microsoft Entra ID P1: 30 days
> Microsoft Entra ID P2: 30 days
Based on the link below:
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-reports-data-retention
I'm going with 90. I'm in the portal right now under Identity Protection, Report, Risky Users and I can go back a maximum of 90 days. Almost all of the other questions seem to assume you have P2.
This is a tip found in the MS Book SC-300 Exam Prep:
The risk reports have different log-rotation periods. The Risky Users report tracks risky users since the beginning of time (from the perspective of tenant inception). The Risky Sign-in report tracks with the log rotation period of the sign-in logs (30 days). The Risk Detections report has a log-rotation period of 90 days.
This question is entirely nonsensical. I found 90 days. There's no reference to 30 days, even though the log time can be changed.
https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk#how-to-investigate-risky-users
"When administrators select an individual user, the Risky user details pane appears. Risky user details provide information like: user ID, office location, recent risky sign-in, detections not linked to a sign, and risk history. The Risk history tab shows the events that led to a user risk change in the last 90 days."
Answer is 90 days.
The Risk history tab also shows all the events that led to a user risk change in the last 90 days. This list includes risk detections that increased the user’s risk and admin remediation actions that lowered the user’s risk.
Note: Question is not referring to Sign in risk which is 30 days.
https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk#:~:text=The%20Risk%20history%20tab%20also%20shows%20all%20the%20events%20that%20led%20to%20a%20user%20risk%20change%20in%20the%20last%2090%20days
The retention period for logs of risky user activity in Microsoft Entra varies by report type and license type. For instance, the risky sign-ins report contains filterable data for up to the past 30 days. However, you can retain the audit and sign-in activity data for longer than the default retention period by routing it to an Azure storage account using Azure Monitor.
A. The risky sign-ins report contains filterable data for up to the past 30 days (one month)
https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk#risky-users-report
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-reports-data-retention
Risky users No limit No limit No limit
Risky sign-ins 7 days 30 days 90 days
Note
Risky users and workload identities are not deleted until the risk has been remediated.
upvoted 4 times
...
This section is not available anymore. Please use the main Exam Page.SC-300 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
d1e85d9
2 months, 3 weeks agorvln7
3 months, 1 week agoRahgu
4 months, 2 weeks agoBtn26
4 months, 4 weeks agoanonymousarpanch
4 months, 2 weeks agoPhax
7 months agomurcao
7 months agoNail
7 months, 2 weeks agoTony416
8 months, 3 weeks agoTony416
9 months agojarattdavis
10 months, 3 weeks agoELQUMS
1 year, 3 months agoSozo
1 year, 3 months agobaz
1 year, 4 months agothrowaway10188
1 year, 4 months agothrowaway10188
1 year, 4 months ago