Logs are often a huge liability. I am not saying this is right, but in my experience very very few IT shops treat them like tier one confidentiality required data that they are.
developers rarely think critically about what can end up in a log, operating under the assumption that whatever logging framework is responsible for sinking them somewhere safe and if anyone has access all bets are already off; of course in the era of centralized logging, SEIM analysis, and data lakes etc, that is nonsense. I have seen a lot applications that have a ton code and thought dedicated to handling various types of secrets only to have it all wrapped and in
try { ... } catch ... {} catch ... {} .. catch Exception => ex { Logger.log("Unhandled " + ex.name + " exception - " + ex.message + "Sacktrace:\n" + ex.stacktrace);} and equivalent that under the write conditions will result in these secrets getting into the logs. That is the most innocent case, the far more common pattern in logs is:
Login failed for user P@$$word!1
Login success for user gweihir
and is almost the norm...
Right now the only things saving corporate and probably government IT from total disaster due to negligent log handling are:
1) The data volume is large so its difficult to exfil or search in situ without being notices
2) Searing logs you are not familiar with is hard and regex augmented with traditional correlation rules will only get you so far,
However attackers will start using ML and similar tools to start slogging thru it and pulling useful data out soon enough and all these data lakes, cloud trails, security workspaces, etc - are going to get some big organizations well and thoroughly pwnd.
At the very least actual APTs (not some ransomware gangs) will get hold of some Fortune 50s and large government logs and do some next gen-analysis to make sure their trade craft and tools leave exactly NO detectable IOCs. Which frankly I think boads quite badly for having a large WFH work force; nobody is going to be able to separate malicious remote access from legitimate. That is drifting off the topic however.
In the short term I would suggest to most operators, you don't know what is in your logs, you don't what signals someone might be able to extract from those logs even if you do have all the content identified. You probably should NOT be retaining logs for longer than either a few months or whatever regulatory requirements demand, whichever is greater.
In this specific instance its unfortunate, but I don't think MS actually got it wrong in terms of policy here.