How to customize and filter identity activity logs

Sign-in logs are a commonly used tool to troubleshoot user access issues and investigate risky sign-in activity. Audit logs collect every logged event in Microsoft Entra ID and can be used to investigate changes to your environment. There are over 30 columns you can choose from to customize your view of the sign-in logs in the Microsoft Entra admin center. Audit logs and Provisioning logs can also be customized and filtered for your needs.

This article shows you how to customize the columns and then filter the logs to find the information you need more efficiently.

Prerequisites

The required roles and licenses vary based on the report. Separate permissions are required to access monitoring and health data in Microsoft Graph. We recommend using a role with least privilege access to align with the Zero Trust guidance. For a full list of roles, see Least privileged roles by task.

Log / Report Roles Licenses
Audit logs Reports Reader
Security Reader
Security Administrator
All editions of Microsoft Entra ID
Sign-in logs Reports Reader
Security Reader
Security Administrator
All editions of Microsoft Entra ID
Provisioning logs Reports Reader
Security Reader
Application Administrator
Cloud App Administrator
Microsoft Entra ID P1 or P2
Custom security attribute audit logs* Attribute Log Administrator
Attribute Log Reader
All editions of Microsoft Entra ID
Health Reports Reader
Security Reader
Helpdesk Administrator
Microsoft Entra ID P1 or P2
Microsoft Entra ID Protection** Security Administrator
Security Operator
Security Reader
Global Reader
Microsoft Entra ID Free
Microsoft 365 Apps
Microsoft Entra ID P1 or P2
Microsoft Graph activity logs Security Administrator
Permissions to access data in the corresponding log destination
Microsoft Entra ID P1 or P2
Usage and insights Reports Reader
Security Reader
Security Administrator
Microsoft Entra ID P1 or P2

*Viewing the custom security attributes in the audit logs or creating diagnostic settings for custom security attributes requires one of the Attribute Log roles. You also need the appropriate role to view the standard audit logs.

**The level of access and capabilities for Microsoft Entra ID Protection varies with the role and license. For more information, see the license requirements for ID Protection.

How to access the activity logs in the Microsoft Entra admin center

You can always access your own sign-in history at https://mysignins.microsoft.com. You can also access the sign-in logs from Users and Enterprise applications in Microsoft Entra ID.

Tip

Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least a Reports Reader.
  2. Browse to Identity > Monitoring & health > Audit logs/Sign-in logs/Provisioning logs.

With the information in the Microsoft Entra audit logs, you can access all records of system activities for compliance purposes. Audit logs can be accessed from the Monitoring and health section of Microsoft Entra ID, where you can sort and filter on every category and activity. You can also access audit logs in the area of the admin center for the service you're investigating.

Screenshot of the audit logs option on the side menu.

For example, if you're looking into changes to Microsoft Entra groups, you can access the Audit logs from Microsoft Entra ID > Groups. When you access the audit logs from the service, the filter is automatically adjusted according to the service.

Screenshot of the audit logs option from the Groups menu.

Customize the layout of the audit logs

You can customize the columns in the audit logs to view only the information you need. The Service, Category and Activity columns are related to each other, so these columns should always be visible.

Screenshot of the Columns button on the audit logs.

Filter the audit logs

When you filter the logs by Service, the Category, and Activity details automatically change. In some cases, there might only be one Category or Activity. For a detailed table of all potential combinations of these details, see Audit activities.

Screenshot of the audit log filter with Conditional Access as the service.

  • Service: Defaults to all available services, but you can filter the list to one or more by selecting an option from the dropdown list.

  • Category: Defaults to all categories, but can be filtered to view the category of activity, such as changing a policy or activating an eligible Microsoft Entra role.

  • Activity: Based on the category and activity resource type selection you make. You can select a specific activity you want to see or choose all.

    You can get the list of all Audit Activities using the Microsoft Graph API: https://graph.windows.net/<tenantdomain>/activities/auditActivityTypesV2?api-version=beta

  • Status: Allows you to look at result based on if the activity was a success or failure.

  • Target: Allows you to search for the target or recipient of an activity. Search by the first few letters of a name or user principal name (UPN). The target name and UPN are case-sensitive.

  • Initiated by: Allows you to search by who initiated the activity using the first few letters of their name or UPN. The name and UPN are case-sensitive.

  • Date range: Enables to you to define a timeframe for the returned data. You can search the last 7 days, 24 hours, or a custom range. When you select a custom timeframe, you can configure a start time and an end time.

Next steps