Azure Active Directory Sign-in Information

This section provides comprehensive documentation on understanding, monitoring, and troubleshooting sign-in activities within Azure Active Directory (Azure AD).

Understanding Azure AD Sign-ins

Sign-ins are fundamental to user access and security in Azure AD. They represent authentication events where users, applications, or services attempt to access resources protected by Azure AD.

Authentication Flow: Learn about the standard OAuth 2.0 and OpenID Connect protocols used for authentication.
Authentication Methods: Explore the various ways users can authenticate, including passwords, multi-factor authentication (MFA), passwordless methods (e.g., FIDO2, Windows Hello), and federated sign-ins.
Token Issuance: Understand how Azure AD issues security tokens (ID tokens, access tokens, refresh tokens) upon successful authentication.

Sign-in logs are critical for security monitoring and incident investigation. They provide detailed records of authentication attempts.

You can access sign-in logs through the Azure portal or programmatically using the Microsoft Graph API.

Note: Sign-in logs are retained for a specified period (e.g., 30 days for standard logs, longer for premium tiers). Ensure you configure logging and retention policies according to your organization's needs.

Key Information in Sign-in Logs:

User: The user attempting to sign in.
Application: The application the user is trying to access.
IP Address: The source IP address of the sign-in attempt.
Location: The geographical location inferred from the IP address.
Device Information: Details about the device used (e.g., OS, browser, compliant status).
Authentication Details: The method used for authentication (e.g., password, MFA).
Status: Whether the sign-in was successful or failed, along with the failure reason.

GET https://graph.microsoft.com/v1.0/auditLogs/signIns

The Sign-in Activity Report provides a high-level overview and aggregated view of sign-in trends and patterns within your Azure AD tenant.

This report is useful for understanding the overall security posture and identifying potential anomalies.

Features of the Sign-in Activity Report:

Top Sign-in Activities: Identify the most frequently used applications and users.
Sign-ins by Location: Visualize sign-in origins geographically.
Risky Sign-ins: Highlight sign-ins detected with suspicious characteristics (requires Identity Protection).
MFA Usage: Track the adoption and effectiveness of multi-factor authentication.

Access these reports via the Azure portal under Azure AD > Monitoring & health > Sign-in logs (and then switch to reports view).

Troubleshooting Sign-in Issues

When users report problems signing in, systematically diagnosing the issue is key. Use the sign-in logs and activity reports as your primary tools.

Common Sign-in Problems and Solutions:

Incorrect Credentials:
- Verify username and password.
- Check for Caps Lock.
- If using federated sign-in, ensure the identity provider is available.
MFA Prompts Not Appearing:
- Check the user's MFA registration status.
- Verify Conditional Access policies requiring MFA are correctly configured.
- Ensure the user has a registered authentication method (e.g., authenticator app, phone number).
Conditional Access Policy Denials:
- Review the specific Conditional Access policy that blocked the sign-in.
- Check the grant controls (e.g., requiring compliant device, approved client application, MFA).
- Use the "What If" tool in Conditional Access to simulate policy impact.
Application-Specific Errors:
- Check the application's own logs.
- Ensure the application is correctly registered in Azure AD and has the necessary permissions.
- Validate the redirect URI configuration.

For advanced troubleshooting, consider enabling diagnostic settings to export logs to Log Analytics for more powerful querying and analysis.