What are Microsoft Entra sign-in logs?
Microsoft Entra logs all sign-ins into a Microsoft Entra tenant, which includes your internal apps and resources. As an IT administrator, you need to know what the values in the sign-in logs mean, so that you can interpret the log values correctly.
Reviewing sign-in errors and patterns provides valuable insight into how your users access applications and services. The sign-in logs provided by Microsoft Entra ID are a powerful type of activity log that you can analyze. This article describes several key aspects of the sign-in logs.
Two other activity logs are also available to help monitor the health of your tenant:
- Audit – Information about changes applied to your tenant, such as users and group management or updates applied to your tenant’s resources.
- Provisioning – Activities performed by a provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.
License and role requirements
The required roles and licenses vary based on the report. Separate permissions are required to access monitoring and health data in Microsoft Graph. We recommend using a role with least privilege access to align with the Zero Trust guidance. For a full list of roles, see Least privileged roles by task.
| Log / Report | Roles | Licenses |
|---|---|---|
| Audit logs | Reports Reader Security Reader Security Administrator |
All editions of Microsoft Entra ID |
| Sign-in logs | Reports Reader Security Reader Security Administrator |
All editions of Microsoft Entra ID |
| Provisioning logs | Reports Reader Security Reader Application Administrator Cloud App Administrator |
Microsoft Entra ID P1 or P2 |
| Custom security attribute audit logs* | Attribute Log Administrator Attribute Log Reader |
All editions of Microsoft Entra ID |
| Health | Reports Reader Security Reader Helpdesk Administrator |
Microsoft Entra ID P1 or P2 |
| Microsoft Entra ID Protection** | Security Administrator Security Operator Security Reader Global Reader |
Microsoft Entra ID Free Microsoft 365 Apps Microsoft Entra ID P1 or P2 |
| Microsoft Graph activity logs | Security Administrator Permissions to access data in the corresponding log destination |
Microsoft Entra ID P1 or P2 |
| Usage and insights | Reports Reader Security Reader Security Administrator |
Microsoft Entra ID P1 or P2 |
*Viewing the custom security attributes in the audit logs or creating diagnostic settings for custom security attributes requires one of the Attribute Log roles. You also need the appropriate role to view the standard audit logs.
**The level of access and capabilities for Microsoft Entra ID Protection varies with the role and license. For more information, see the license requirements for ID Protection.
What can you do with sign-in logs?
You can use the sign-in logs to answer questions such as:
- How many users signed into a particular application this week?
- How many failed sign-in attempts occurred in the last 24 hours?
- Are users signing in from specific browsers or operating systems?
- Which of my Azure resources were accessed by managed identities and service principals?
You can also describe the activity associated with a sign-in request by identifying the following details:
- Who – The identity (User) performing the sign-in.
- How – The client (Application) used for the sign-in.
- What – The target (Resource) accessed by the identity.
How do you access the sign-in logs?
There are several ways to access the logs, depending on your needs. For more information, see How to access activity logs.
To view the sign-in logs from the Microsoft Entra admin center:
- Sign in to the Microsoft Entra admin center as at least a Reports Reader.
- Browse to Identity> Monitoring & health > Sign-in logs.
To more effectively use the sign-in logs in the Microsoft Entra admin center, adjust the filters to only view a specific set of logs. For more information, see Filter sign-in logs.
What are the types of sign-in logs?
There are four types of logs in the sign-in logs preview:
- Interactive user sign-ins
- Non-interactive user sign-ins
- Service principal sign-ins
- Managed identity sign-ins
The classic sign-in logs only include interactive user sign-ins.
Note
Entries in the sign-in logs are system generated and can't be changed or deleted.
Sign-in data used by other services
Sign-in data is used by several services in Azure and Microsoft Entra to monitor risky sign-ins, provide insight into application usage, and more.
Microsoft Entra ID Protection
Sign-in log data visualization that relates to risky sign-ins is available in the Microsoft Entra ID Protection overview, which uses the following data:
- Risky users
- Risky user sign-ins
- Risky workload identities
For more information about the Microsoft Entra ID Protection tools, see the Microsoft Entra ID Protection overview.
Microsoft Entra Usage and insights
To view application-specific sign-in data, browse to Microsoft Entra ID > Monitoring & health > Usage & insights. These reports provide a closer look at sign-ins for Microsoft Entra application activity and AD FS application activity. For more information, see Microsoft Entra Usage & insights.
There are several reports available in Usage & insights. Some of these reports are in preview.
- Microsoft Entra application activity (preview)
- AD FS application activity
- Authentication methods activity
- Service principal sign-in activity
- Application credential activity
Microsoft 365 activity logs
You can view Microsoft 365 activity logs from the Microsoft 365 admin center. Microsoft 365 activity and Microsoft Entra activity logs share a significant number of directory resources. Only the Microsoft 365 admin center provides a full view of the Microsoft 365 activity logs.
You can access the Microsoft 365 activity logs programmatically by using the Office 365 Management APIs.