What are the identity logs you can stream to an endpoint?
Using Microsoft Entra diagnostic settings, you can route activity logs to several endpoints for long term retention and data insights. You select the logs you want to route, then select the endpoint.
This article describes the logs that you can route to an endpoint with Microsoft Entra diagnostic settings.
Log streaming requirements and options
Setting up an endpoint, such as an event hub or storage account, may require different roles and licenses. To create or edit a new diagnostic setting, you need a user who's a Security Administrator or Global Administrator for the Microsoft Entra tenant.
To help decide which log routing option is best for you, see How to access activity logs. The overall process and requirements for each endpoint type are covered in the following articles:
- Send logs to a Log Analytics workspace to integrate with Azure Monitor logs
- Archive logs to a storage account
- Stream logs to an event hub
- Send to a partner solution
Activity log options
The following logs can be routed to an endpoint for storage, analysis, or monitoring.
AuditLogs report capture changes to applications, groups, users, and licenses in your Microsoft Entra tenant. Once you've routed your audit logs, you can filter or analyze by date/time, the service that logged the event, and who made the change. For more information, see Audit logs.
SignInLogs send the interactive sign-in logs, which are logs generated by your users signing in. Sign-in logs are generated by users providing their username and password on a Microsoft Entra sign-in screen or passing an MFA challenge. For more information, see Interactive user sign-ins.
Non-interactive sign-in logs
NonInteractiveUserSIgnInLogs are sign-ins done on behalf of a user, such as by a client app. The device or client uses a token or code to authenticate or access a resource on behalf of a user. For more information, see Non-interactive user sign-ins.
Service principal sign-in logs
If you need to review sign-in activity for apps or service principals, the
ServicePrincipalSignInLogs may be a good option. In these scenarios, certificates or client secrets are used for authentication. For more information, see Service principal sign-ins.
Managed identity sign-in logs
ManagedIdentitySignInLogs provide similar insights as the service principal sign-in logs, but for managed identities, where Azure manages the secrets. For more information, see Managed identity sign-ins.
If your organization provisions users through a third-party application such as Workday or ServiceNow, you may want to export the
ProvisioningLogs reports. For more information, see Provisioning logs.
AD FS sign-in logs
Sign-in activity for Active Directory Federated Services (AD FS) applications are captured in this Usage and insight reports. You can export the
ADFSSignInLogs report to monitor sign-in activity for AD FS applications. For more information, see AD FS sign-in logs.
RiskyUsers logs identify users who are at risk based on their sign-in activity. This report is part of Microsoft Entra ID Protection and uses sign-in data from Microsoft Entra ID. For more information, see What is Microsoft Entra ID Protection?.
User risk events
UserRiskEvents logs are part of Microsoft Entra ID Protection. These logs capture details about risky sign-in events. For more information, see How to investigate risk.
Risky service principals
RiskyServicePrincipals logs provide information about service principals that Microsoft Entra ID Protection detected as risky. Service principal risk represents the probability that an identity or account is compromised. These risks are calculated asynchronously using data and patterns from Microsoft's internal and external threat intelligence sources. These sources may include security researchers, law enforcement professionals, and security teams at Microsoft. For more information, see Securing workload identities
Service principal risk events
ServicePrincipalRiskEvents logs provide details around the risky sign-in events for service principals. These logs may include any identified suspicious events related to the service principal accounts. For more information, see Securing workload identities
Enriched Microsoft 365 audit logs
EnrichedOffice365AuditLogs logs are associated with the enriched logs you can enable for Microsoft Entra Internet Access. Selecting this option doesn't add new logs to your workspace unless your organization is using Microsoft Entra Internet to secure access to your Microsoft 365 traffic and you enabled the enriched logs. For more information, see How to use the Global Secure Access enriched Microsoft 365 logs.
Microsoft Graph activity logs
MicrosoftGraphActivityLogs provide administrators full visibility into all HTTP requests accessing your tenant's resources through the Microsoft Graph API. You can use these logs to identify activities that a compromised user account conducted in your tenant or to investigate problematic or unexpected behaviors for client applications, such as extreme call volumes. Route these logs to the same Log Analytics workspace with
SignInLogs to cross-reference details of token requests for sign-in logs. For more information, see Access Microsoft Graph activity logs (preview).
Network access traffic logs
NetworkAccessTrafficLogs logs are associated with Microsoft Entra Internet Access and Microsoft Entra Private Access. The logs are visible in Microsoft Entra ID, but selecting this option doesn't add new logs to your workspace unless your organization is using Microsoft Entra Internet Access and Microsoft Entra Private Access to secure access to your corporate resources. For more information, see What is Global Secure Access?.