Queries for the AADServicePrincipalSignInLogs table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Most active service principals

Gets list of top 100 most active service principals for the last day.

AADServicePrincipalSignInLogs
| where TimeGenerated > ago(1d)
| summarize CountPerServicePrincipal = count() by ServicePrincipalId
| order by CountPerServicePrincipal desc
| take 100

Inactive service principals

Service principals that had no sign-ins for the last 30d.

AADServicePrincipalSignInLogs
| where TimeGenerated > ago(90d)
| where ResultType == 0
| summarize LastSignIn = max(TimeGenerated) by ServicePrincipalId
| where LastSignIn < ago(30d)