Sign-in Logs
Sign-in logs provide insights into how users are accessing your organization's applications and resources. They are a critical component for security monitoring, troubleshooting, and compliance.
Key Information in Sign-in Logs
Each sign-in event record contains detailed information, including:
- User: The user account that initiated the sign-in.
- Application: The application or resource being accessed.
- Status: Indicates whether the sign-in was successful or failed, along with the reason for failure.
- IP Address: The IP address from which the sign-in originated.
- Location: The geographical location associated with the IP address.
- Device: Information about the device used for the sign-in (e.g., OS, browser).
- Authentication Method: The method used for authentication (e.g., password, MFA, passwordless).
- Timestamp: The date and time of the sign-in event.
Accessing Sign-in Logs
You can access sign-in logs through the Azure portal, Microsoft Graph API, or by sending logs to a SIEM solution.
Azure Portal
- Sign in to the Azure portal with an appropriate role (e.g., Security Reader, Reports Reader).
- Navigate to Azure Active Directory.
- Under the Monitoring & health section, select Sign-in logs.
Microsoft Graph API
The Microsoft Graph API provides programmatic access to sign-in logs. You can use the }/auditLogs/signIns endpoint.
GET https://graph.microsoft.com/v1.0/auditLogs/signInsCommon Use Cases
- Security Monitoring: Identify suspicious sign-in attempts, such as sign-ins from unusual locations or multiple failed attempts.
- Troubleshooting: Diagnose sign-in failures for specific users or applications.
- Auditing and Compliance: Provide evidence of user access for regulatory requirements.
- Application Performance Analysis: Understand user access patterns to applications.
Filtering and Searching
The Azure portal provides powerful filtering and search capabilities to help you find specific sign-in events. You can filter by:
- User
- Application
- Date and Time
- Sign-in Status (Success/Failure)
- IP Address
- Location
- Device Platform
- Authentication Requirement
Note: Sign-in logs are retained for 30 days by default for most Azure AD tiers. Consider configuring diagnostic settings to export logs for longer retention.
Example Sign-in Event
| Field | Value |
|---|---|
| User Principal Name | user@example.com |
| Application Name | Microsoft Office 365 |
| Status | Success |
| IP Address | 203.0.113.45 |
| Location | New York, USA |
| Device | Windows 10, Chrome |
| Authentication Method | Password, MFA |
| Timestamp | 2023-10-27 10:30:00 UTC |
Important: Regularly review sign-in logs, especially after implementing new security policies, to ensure they are effective and to detect any anomalies promptly.
Tip: Integrate Azure AD sign-in logs with your SIEM solution for centralized security monitoring and correlation with other security events.