What are flagged sign-ins in Microsoft Entra ID?
As an IT admin, when a user failed to sign-in, you want to resolve the issue as soon as possible to unblock your user. Due to the amount of available data in the sign-ins log, locating the right information can be a challenge.
This article gives you an overview of a feature that significantly improves the time it takes to resolve user sign-in problems by making the related problems easy to find.
What are flagged sign-ins?
Microsoft Entra sign-in events are critical to understanding what went right or wrong with user sign-ins and the authentication configuration in a tenant. However, Microsoft Entra ID processes over 8 billion authentications a day, which can result in so many sign-in events that admins may find it difficult to find the ones which matter. In other words, the sheer number of sign-in events can make the signal of users who need assistance get lost in the volume of a large number of events.
Flagged Sign-ins is a feature intended to increase the signal to noise ratio for user sign-ins requiring help. The functionality is intended to empower users to raise awareness about sign-in errors they want help with. Admins and help desk workers also benefit from finding the right events more efficiently. Flagged Sign-in events contain the same information as other sign-in events contain with one addition: they also indicate that a user flagged the event for review by admins.
Flagged sign-ins give the user the ability to enable flagging when an error is seen on a sign-in page and then reproduce that error. The error event then appears as “Flagged for Review” in the Microsoft Entra sign-ins log.
In summary, you can use flagged sign-ins to:
Empower users to indicate the sign-in errors they need their tenant admins help on.
Simplify the process of locating the sign-in errors a user needs to be resolved.
Enable help desk personal find the problems users want help with proactively- without the end user having to do anything other than flag the event.
How it works
Flagged sign-ins gives you the ability to enable flagging when signing in using a browser and receiving an authentication error. When a user sees a sign-in error, they can select to enable flagging. For the next 20 minutes, any sign-in event from that user, on the same browser and client device or computer, will show “Flagged for Review: Yes” in the Sign-ins Report. After 20 minutes, the flagging automatically turns off.
User: How to flag an error
- The user receives an error during sign-in.
- The user selects View details in the error page.
- In Troubleshooting details, select Enable Flagging. The text changes to Disable Flagging. Flagging is now enabled.
- Close the browser window.
- Open a new browser window (in the same browser application) and attempt the same sign-in that failed.
- Reproduce the sign-in error that was seen before.
With flagging enabled, the same browser application and client must be used or the events aren't flagged.
Admin: Find flagged events in reports
- Sign in to the Microsoft Entra admin center as at least a Global Reader.
- Browse to Identity > Monitoring & health > Sign-in logs.
- Open the Add filters menu and select Flagged for review. All events that were flagged by users are shown.
- If needed, apply more filters to refine the event view.
- Select the event to review what happened.
Admin or Developer: Find flagged events using MS Graph
You can find flagged sign-ins with a filtered query using the sign-ins reporting API.
Show all Flagged Sign-ins:
https://graph.microsoft.com/beta/auditLogs/signIns?&$filter=flaggedforReview eq true
Flagged Sign-ins query for specific user by UPN (for example: email@example.com):
https://graph.microsoft.com/beta/auditLogs/signIns?&$filter=flaggedforReview eq true and userPrincipalname eq 'firstname.lastname@example.org'
Flagged Sign-ins query for specific user and date greater than:
https://graph.microsoft.com/beta/auditLogs/signIns?&$filter=flaggedforReview eq true and createdDateTime ge 2021-10-01 and userPrincipalname eq 'email@example.com'
For more information on using the sign-ins Graph API, see signIn resource type.
Who can create flagged sign-ins?
Any user signing into Microsoft Entra ID via web page can use flag sign-ins for review. Member and guest users alike can flag sign-in errors for review.
Who can review flagged sign-ins?
Reviewing flagged sign-in events requires permissions to read the sign-in report events in the Azure portal. For more information, see How to access activity logs.
To flag sign-in failures, you don't need extra permissions.
What you should know
While the names are similar, flagged sign-ins and risky sign-ins are different capabilities:
- Flagged sign-ins are sign-in error events users are asking assistance on.
- A risky sign-in is a functionality of identity protection. For more information, see what is identity protection.