It seems you’re encountering an issue where Windows sign-ins are not appearing in the Entra sign-in logs for certain users, even though other application authentications are recorded. Let's explore some potential causes and troubleshooting steps:
Sign-In Logs Overview
The sign-in logs in Microsoft Entra ID capture all sign-ins into an Azure tenant, including internal apps and resources. These logs provide valuable insights into user access patterns. There are four types of logs in the sign-in logs preview:
- Interactive user sign-ins: Typical user interactions.
- Non-interactive user sign-ins: Service or application access on behalf of a user.
- Service principal sign-ins: Service accounts or applications accessing resources.
- Managed identity sign-ins: Managed identities for Azure resources accessing resources.
For more details on sign-in logs, please visit the Microsoft Entra sign-in logs documentation.
Troubleshooting Steps
Let's start by checking the sign-in logs for the affected users:
- Open the Azure portal: Azure Portal.
- Navigate to Azure AD > Users and select the user in question.
- Under the user’s profile, click on Sign-in logs to view their sign-in history.
Look for any patterns or discrepancies related to Windows sign-ins. Pay attention to the following:
- Authentication methods: Ensure users are using the expected methods (e.g., password, MFA, device-based authentication).
- Conditional Access policies: Check if any policies are affecting Windows sign-ins.
- Device information: Verify that devices are correctly registered and hybrid joined.
Since you've noticed this issue with VDI users, investigate whether there are specific VDI-related factors causing the discrepancy.
For more details on troubleshooting, you can refer to the Azure AD sign-in troubleshooting guide.
Additional Considerations
- Device registration: Ensure that devices are properly registered with Azure AD.
- Hybrid join: Confirm that hybrid-joined devices are correctly configured.
- Application-specific issues: Investigate if there are specific applications or scenarios where Windows sign-ins are not being recorded.
- Logs and diagnostics: Use the Sign-in diagnostics feature to explore detailed information about specific sign-in events. For more information, check out the sign-in diagnostics documentation.
Sometimes, delays in log processing can occur, so allow some time for logs to update. Keep an eye on any changes to your environment (e.g., updates, policy changes) that might impact sign-ins.