View your access and usage reports
Updated: August 21, 2015
Applies To: Azure
Important
Please bear with us as we migrate this and other content to the Microsoft Azure website. This topic is no longer being updated and might become out of date. Please bookmark the updated Azure article on this subject, View your access and usage reports.
You can use Azure Active Directory’s access and usage reports to gain visibility into the integrity and security of your organization’s directory. With this information, a directory admin can better determine where possible security risks may lie so that they can adequately plan to mitigate those risks.
In the full Azure Management Portal, reports are categorized in the following ways:
Anomaly reports - Contain sign in events that we found to be anomalous. Our goal is to make you aware of such activity and enable you to be able to make a determination about whether an event is suspicious.
Integrated Application report – Provides insights into how cloud applications are being used in your organization. Azure Active Directory offers integration with thousands of cloud applications.
Error reports – Indicate errors that may occur when provisioning accounts to external applications.
User-specific reports – Display device/sign in activity data for a specific user.
Activity logs - Contain a record of all audited events within the last 24 hours, last 7 days, or last 30 days, as well as group activity changes, and password reset and registration activity.
Note
- Some advanced anomaly and resource usage reports are only available when you enable Azure Active Directory editions. Advanced reports help you improve access security, respond to potential threats and get access to analytics on device access and application usage.
- Azure Active Directory Premium and Basic editions are available for customers in China using the worldwide instance of Azure Active Directory. Azure Active Directory Premium and Basic editions are not currently supported in the Windows Azure service operated by 21Vianet in China. For more information, contact us at the Azure Active Directory Forum.
The following reports are used for monitoring directory-wide user sign ins to Azure Active Directory.
| Report | Description | Report Location | Available for free | Available with Premium | ||
|---|---|---|---|---|---|---|
|
Category: Anomaly Reports |
||||||
|
Sign ins from unknown sources |
This report indicates users who have successfully signed in to your directory while assigned a client IP address that has been recognized by Microsoft as an anonymous proxy IP address. These proxies are often used by users that want to hide their computer’s IP address, and may be used for malicious intent – sometimes hackers use these proxies. Results from this report will show the number of times a user successfully signed in to your directory from that address and the proxy’s IP address. |
Found under the Directory > Reports tab |
|
|
||
|
Sign ins after multiple failures |
This report indicates users who have successfully signed in after multiple consecutive failed sign in attempts. Possible causes include:
Results from this report will show you the number of consecutive failed sign in attempts made prior to the successful sign in and a timestamp associated with the first successful sign in. Report Settings: You can configure the minimum number of consecutive failed sign in attempts that must occur before it can be displayed in the report. When you make changes to this setting it is important to note that these changes will not be applied to any existing failed sign ins that currently show up in your existing report. However, they will be applied to all future sign ins. Changes to this report can only be made by licensed admins. |
Found under the Directory > Reports tab |
|
|
||
|
Sign ins from multiple geographies |
This report includes successful sign in activities from a user where two sign ins appeared to originate from different regions and the time between the sign ins makes it impossible for the user to have travelled between those regions. Possible causes include:
Results from this report will show you the successful sign in events, together with the time between the sign ins, the regions where the sign ins appeared to originate from and the estimated travel time between those regions.
|
Found under the Directory > Reports tab |
|
|
||
|
Sign ins from IP addresses with suspicious activity |
This report includes sign in attempts that have been executed from IP addresses where suspicious activity has been noted. Suspicious activity includes many failed sign in attempts from the same IP address over a short period of time, and other activity that was deemed suspicious. This may indicate that a hacker has been trying to sign in from this IP address. Results from this report will show you sign in attempts that were originated from an IP address where suspicious activity was noted, together with the timestamp associated with the sign in. |
Found under the Directory > Reports tab |
|
|
||
|
Anomalous sign in activity |
This report includes sign ins that have been identified as “anomalous” by our machine learning algorithms. Reasons for marking a sign in attempt as irregular include unexpected sign in locations, time of day and locations or a combination of these. This may indicate that a hacker has been trying to sign in using this account. The machine learning algorithm classifies events as “anomalous” or “suspicious”, where “suspicious” indicates a higher likelihood of a security breach. Results from this report will show you these sign ins, together with the classification, location and a timestamp associated with each sign in.
|
Found under the Directory > Reports tab |
|
|
||
|
Sign ins from possibly infected devices |
Use this report when you want to see sign ins from devices on which some malware (malicious software) may be running. We correlate IP addresses of sign ins against IP addresses from which an attempt was made to contact a malware server. Recommendation: Since this report assumes an IP address was associated with the same device in both cases, we recommend that you contact the user and scan the user's device to be certain. For more information about how to address malware infections, see the Malware Protection Center. |
Found under the Directory > Reports tab |
|
|
||
|
Users with anomalous sign in activity |
Use this report when you want to view all user accounts for which anomalous sign in activity has been identified. This report includes data from all other anomalous activity reports. Results from this report will show you details about the user, the reason why the sign in event was identified as anomalous, the date and time, and other relevant information about the event. |
Found under the Directory > Reports tab |
|
|
||
|
Category: Integrated Application Reports |
||||||
|
Application usage: summary |
Use this report when you want to see usage for all the SaaS applications in your directory. This report is based on the number of times users have clicked on the application in the Access Panel. |
Found under the Directory > Reports tab |
|
|
||
|
Application usage: detailed |
Use this report when you want to see how much a specific SaaS application is being used. This report is based on the number of times users have clicked on the application in the Access Panel. |
Found under the Directory > Reports tab |
|
|
||
|
Application dashboard |
This report indicates cumulative sign ins to the application by users in your organization, over a selected time interval. The chart on the dashboard page will help you identify trends for all usage of that application. |
Found under the Directory > Application > Dashboard tab |
|
|
||
|
Category: Error Reports |
||||||
|
Account provisioning errors |
Use this to monitor errors that occur during the synchronization of accounts from SaaS applications to Azure Active Directory. |
Found under the Directory > Reports tab |
|
|
||
|
Category: User-specific Reports |
||||||
|
Devices |
Use this report when you want to see the IP address and geographical location of devices that a specific user has used to access Azure Active Directory. |
Found under the Directory > User > Devices tab |
|
|
||
|
Activity |
Use this report when you want to see the sign in activity for a user. The report includes information like the application signed into, device used, IP address, and location. We do not collect the history for users that sign in with a Microsoft account. |
Found under the Directory > User > Activity tab |
|
|
||
|
Category: Activity logs |
||||||
|
Audit report |
Use this report when you want to see a record of all audited events within the last 24 hours, last 7 days, or last 30 days. The report includes events in the following categories:
|
Found under the Directory > Reports tab |
|
|
||
|
Groups activity report |
You can use this report when you want to see all activity for the self-service managed groups in your directory. This report is only available when you enable Azure Active Directory Premium. |
Found under the Directory > Reports tab |
|
|
||
|
Password reset registration activity report |
The password reset registration activity report shows all password reset registrations that have occurred in your organization. |
Found under the Directory > Reports tab |
|
|
||
|
Password reset activity |
The password reset activity report shows all password reset attempts that have occurred in your organization. |
Found under the Directory > Reports tab |
|
|
||
.gif "Checklist")
.gif "note")
Note Things to consider if you suspect a security breach
If you suspect that a user account may be compromised or any kind of suspicious user activity that may lead to a security breach of your directory data in the cloud, you may want to consider one or more of the following actions:
Contact the user to verify the activity
Reset the user's password
Enable multi-factor authentication for additional security
View or download a report
Use the following procedure to view and/or download the most applicable report for your specific needs.
Note
The number of results that will be shown after running any of our access and usage reports is currently limited to display, or to download, only the 1000 most recent records. At this time there is no way to retrieve any results past 1000. This article will be updated once a solution for this limitation has been removed.
In the Azure Management Portal, click Active Directory, click on the name of your organization’s directory, and then click Reports.
On the Reports page, click the report you want to view and/or download.
Note
If this is the first time you have used the reporting feature of Azure Active Directory, you will see a message to Opt In. If you agree, click the check mark icon to continue.
Click the drop-down menu next to Interval, and then select one of the following time ranges that should be used when generating this report:
Last 24 hours
Last 7 days
Last 30 days
Click the check mark icon to run the report.
If applicable, click Download to download the report to a compressed file in Comma Separated Values (CSV) format for offline viewing or archiving purposes.
Ignore an event
If you are viewing any anomaly reports, you may notice that you can ignore various events that show up in related reports. To ignore an event, simply highlight the event in the report and then click Ignore. The Ignore button will permanently remove the highlighted event from the report and can only be used by licensed global admins.
Automatic email notifications
What reports generate an email notification?
At this time, only the Anomalous Sign In Activity report and the Users with Anomalous Sign In Activity report are using the email notification system.
What triggers the email notification to be sent?
By default, Azure Active Directory is set to automatically send email notifications to all global admins. The email is sent under the following conditions for each report.
For the Anomalous Sign In Activity report:
Unknown sources: 10 events
Multiple failures: 10 events
IP addresses with suspicious activity: 10 events
Infected devices: 10 events
For the Users with Anomalous Sign In Activity report:
Unknown sources: 10 events
Multiple failures: 10 events
IP addresses with suspicious activity: 10 events
Infected devices: 5 events
Anomalous sign ins report: 15 events
The email is sent if any of the above conditions is met within 30 days, or since the last email was sent if it is less than 30 days.
Anomalous Sign Ins are those that have been identified as “anomalous” by our machine learning algorithms, on the basis of unexpected sign in locations, time of day and locations or a combination of these. This may indicate that a hacker has been trying to sign in using this account. More information about this report can be found in the table above.
Who receives the email notifications?
The email is sent to all global admins who have been assigned an Active Directory Premium license. To ensure it is delivered, we send it to the admins Alternate Email Address as well. Admins should include aad-alerts-noreply@mail.windowsazure.com in their safe senders list so they don’t miss the email.
How often are these emails sent?
Once an email is sent, the next one will be sent only when 10 or more new Anomalous Sign In events are encountered within 30 days of sending that email. How do I access the report mentioned in the email?
When you click on the link, you will be redirected to the report page within the Azure Management Portal. In order to access the report, you need to be both:
An admin or co-admin of your Azure subscription
A global administrator in the directory, and assigned an Active Directory Premium license. For more information, see Azure Active Directory editions.
Can I turn off these emails?
Yes, to turn off notifications related to anomalous sign ins within the Azure Management Portal, click Configure, and then select Disabled under the Notifications section.