Entra sign-in logs - Missing information

Question

Hello.

For a subset of users, when looking at the Entra sign-in logs, we are seeing no Windows sign-ins under the heading of "Application" and no device information under the "Device info" tab for any other successful authentication for those users. 

For example, we know jsmith has successfully logged into a hybrid joined system but the Windows sign-in does not post in the Entra sign-in logs. All other application authentications for jsmith are present in the sign-in logs, but no device information is present.

At this point we have not definitively narrowed it down to a specific group of users, but in the handful of examples we have dug into it appears to be users in our VDI environment, though not all VDI users have this issue. 

 

We have confirmed these users are successfully logging into hybrid joined systems and have expected access and functionality. 

 

Any thoughts on cause?

 

Thank you

Answer 1

It seems you’re encountering an issue where Windows sign-ins are not appearing in the Entra sign-in logs for certain users, even though other application authentications are recorded. Let's explore some potential causes and troubleshooting steps:

Sign-In Logs Overview

The sign-in logs in Microsoft Entra ID capture all sign-ins into an Azure tenant, including internal apps and resources. These logs provide valuable insights into user access patterns. There are four types of logs in the sign-in logs preview:

• Interactive user sign-ins: Typical user interactions.
• Non-interactive user sign-ins: Service or application access on behalf of a user.
• Service principal sign-ins: Service accounts or applications accessing resources.
• Managed identity sign-ins: Managed identities for Azure resources accessing resources.

For more details on sign-in logs, please visit the Microsoft Entra sign-in logs documentation.

Troubleshooting Steps

Let's start by checking the sign-in logs for the affected users:

1. Open the Azure portal: Azure Portal.
2. Navigate to Azure AD > Users and select the user in question.
3. Under the user’s profile, click on Sign-in logs to view their sign-in history.

Look for any patterns or discrepancies related to Windows sign-ins. Pay attention to the following:

• Authentication methods: Ensure users are using the expected methods (e.g., password, MFA, device-based authentication).
• Conditional Access policies: Check if any policies are affecting Windows sign-ins.
• Device information: Verify that devices are correctly registered and hybrid joined.

Since you've noticed this issue with VDI users, investigate whether there are specific VDI-related factors causing the discrepancy.

For more details on troubleshooting, you can refer to the Azure AD sign-in troubleshooting guide.

Additional Considerations

• Device registration: Ensure that devices are properly registered with Azure AD.
• Hybrid join: Confirm that hybrid-joined devices are correctly configured.
• Application-specific issues: Investigate if there are specific applications or scenarios where Windows sign-ins are not being recorded.
• Logs and diagnostics: Use the Sign-in diagnostics feature to explore detailed information about specific sign-in events. For more information, check out the sign-in diagnostics documentation.

Sometimes, delays in log processing can occur, so allow some time for logs to update. Keep an eye on any changes to your environment (e.g., updates, policy changes) that might impact sign-ins.

Answer 2

@WilliamN

Again, I appreciate your suggestions.

At this point we have opened a ticket with Microsoft. I will post back when I have more information.

Thank you

Answer 3

According to Microsoft the issue is due to our non-persistent VDI endpoints are not properly hybrid joined which is a requirement for device information to be present in the sign-in logs.