Queries for the AADNonInteractiveUserSignInLogs table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Users with multiple cities

Get list of users that signed in from multiple cities for the last day.

AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1d)
| extend City = parse_json(LocationDetails).city
| summarize CountPerCity = dcount(tostring(City)) by UserId
| where CountPerCity > 1
| order by CountPerCity desc

Most active ip addresses

Get list of top 100 most active IP addresses for the last day.

AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1d)
| summarize CountPerIPAddress = count() by IPAddress
| order by CountPerIPAddress desc
| take 100