How to access activity logs in Microsoft Entra ID
The data collected in your Microsoft Entra logs enables you to assess many aspects of your Microsoft Entra tenant. To cover a broad range of scenarios, Microsoft Entra ID provides you with several options to access your activity log data. As an IT administrator, you need to understand the intended uses cases for these options, so that you can select the right access method for your scenario.
You can access Microsoft Entra activity logs and reports using the following methods:
- Stream activity logs to an event hub to integrate with other tools
- Access activity logs through the Microsoft Graph API
- Integrate activity logs with Azure Monitor logs
- Monitor activity in real-time with Microsoft Sentinel
- View activity logs and reports in the Azure portal
- Export activity logs for storage and queries
Each of these methods provides you with capabilities that might align with certain scenarios. This article describes those scenarios, including recommendations and details about related reports that use the data in the activity logs. Explore the options in this article to learn about those scenarios so you can choose the right method.
Prerequisites
The required roles and licenses vary based on the report. Separate permissions are required to access monitoring and health data in Microsoft Graph. We recommend using a role with least privilege access to align with the Zero Trust guidance. For a full list of roles, see Least privileged roles by task.
Log / Report | Roles | Licenses |
---|---|---|
Audit logs | Reports Reader Security Reader Security Administrator |
All editions of Microsoft Entra ID |
Sign-in logs | Reports Reader Security Reader Security Administrator |
All editions of Microsoft Entra ID |
Provisioning logs | Reports Reader Security Reader Application Administrator Cloud App Administrator |
Microsoft Entra ID P1 or P2 |
Custom security attribute audit logs* | Attribute Log Administrator Attribute Log Reader |
All editions of Microsoft Entra ID |
Health | Reports Reader Security Reader Helpdesk Administrator |
Microsoft Entra ID P1 or P2 |
Microsoft Entra ID Protection** | Security Administrator Security Operator Security Reader Global Reader |
Microsoft Entra ID Free Microsoft 365 Apps Microsoft Entra ID P1 or P2 |
Microsoft Graph activity logs | Security Administrator Permissions to access data in the corresponding log destination |
Microsoft Entra ID P1 or P2 |
Usage and insights | Reports Reader Security Reader Security Administrator |
Microsoft Entra ID P1 or P2 |
*Viewing the custom security attributes in the audit logs or creating diagnostic settings for custom security attributes requires one of the Attribute Log roles. You also need the appropriate role to view the standard audit logs.
**The level of access and capabilities for Microsoft Entra ID Protection varies with the role and license. For more information, see the license requirements for ID Protection.
Audit logs are available for features that you have licensed. To access the sign-in logs using the Microsoft Graph API, your tenant must have a Microsoft Entra ID P1 or P2 license associated with it.
View logs through the Microsoft Entra admin center
For one-off investigations with a limited scope, the Microsoft Entra admin center is often the easiest way to find the data you need. The user interface for each of these reports provides you with filter options enabling you to find the entries you need to solve your scenario.
The data captured in the Microsoft Entra activity logs are used in many reports and services. You can review the sign-in, audit, and provisioning logs for one-off scenarios or use reports to look at patterns and trends. The data from the activity logs help populate the Identity Protection reports, which provide information security related risk detections that Microsoft Entra ID can detect and report on. Microsoft Entra activity logs also populate Usage and insights reports, which provide usage details for your tenant's applications.
Recommended uses
The reports available in the Azure portal provide a wide range of capabilities to monitor activities and usage in your tenant. The following list of uses and scenarios isn't exhaustive, so explore the reports for your needs.
- Research a user's sign-in activity or track an application's usage.
- Review details around group name changes, device registration, and password resets with audit logs.
- Use the Identity Protection reports for monitoring at risk users, risky workload identities, and risky sign-ins.
- Review the sign-in success rate in the Microsoft Entra application activity (preview) report from Usage and insights to ensure that your users can access the applications in use in your tenant.
- Compare the different authentication methods your users prefer with the Authentication methods report from Usage and insights.
Quick steps
Use the following basic steps to access the reports in the Microsoft Entra admin center.
- Browse to Identity > Monitoring & health > Audit logs/Sign-in logs/Provisioning logs.
- Adjust the filter according to your needs.
Audit logs can be accessed directly from the area of the Microsoft Entra admin center where you're working. For example, if you're in the Groups or Licenses section of Microsoft Entra ID, you can access the audit logs for those specific activities directly from that area. When you access the audit logs in this way, the filter categories are automatically set. If you're in Groups, the audit log filter category is set to GroupManagement.
Stream logs to an event hub to integrate with SIEM tools
Streaming your activity logs to an event hub is required to integrate your activity logs with Security Information and Event Management (SIEM) tools, such as Splunk and SumoLogic. Before you can stream logs to an event hub, you need to set up an Event Hubs namespace and an event hub in your Azure subscription.
Recommended uses
The SIEM tools you can integrate with your event hub can provide analysis and monitoring capabilities. If you're already using these tools to ingest data from other sources, you can stream your identity data for more comprehensive analysis and monitoring. We recommend streaming your activity logs to an event hub for the following types of scenarios:
- You need a big data streaming platform and event ingestion service to receive and process millions of events per second.
- You're looking to transform and store data by using a real-time analytics provider or batching/storage adapters.
Quick steps
- Sign in to the Microsoft Entra admin center as at least a Security Administrator.
- Create an Event Hubs namespace and event hub.
- Browse to Identity > Monitoring & health > Diagnostic settings.
- Choose the logs you want to stream, select the Stream to an event hub option, and complete the fields.
Your independent security vendor should provide you with instructions on how to ingest data from Azure Event Hubs into their tool.
Access logs with the Microsoft Graph API
The Microsoft Graph API provides a unified programmability model that you can use to access data for your Microsoft Entra ID P1 or P2 tenants. It doesn't require an administrator or developer to set up extra infrastructure to support your script or app.
Tip
Steps in this article might vary slightly based on the portal you start from.
Recommended uses
Using Microsoft Graph explorer, you can run queries to help you with the following types of scenarios:
- View tenant activities such as who made a change to a group and when.
- Mark a Microsoft Entra sign-in event as safe or confirmed compromised.
- Retrieve a list of application sign-ins for the last 30 days.
Note
Microsoft Graph allows you to access data from multiple services that impose their own throttling limits. For more information on activity log throttling, see Microsoft Graph service-specific throttling limits.
Quick steps
- Configure the prerequisites.
- Sign in to Graph Explorer.
- Set the HTTP method and API version.
- Add a query then select the Run query button.
Integrate logs with Azure Monitor logs
With the Azure Monitor logs integration, you can enable rich visualizations, monitoring, and alerting on the connected data. Log Analytics provides enhanced query and analysis capabilities for Microsoft Entra activity logs. To integrate Microsoft Entra activity logs with Azure Monitor logs, you need a Log Analytics workspace. From there, you can run queries through Log Analytics.
Recommended uses
Integrating Microsoft Entra logs with Azure Monitor logs provides a centralized location for querying logs. We recommend integrating logs with Azure Monitor for the following types of scenarios:
- Compare Microsoft Entra sign-in logs with logs published by other Azure services.
- Correlate sign-in logs against Azure Application insights.
- Query logs using specific search parameters.
Quick steps
- Sign in to the Microsoft Entra admin center as at least a Security Administrator.
- Create a Log Analytics workspace.
- Browse to Identity > Monitoring & health > Diagnostic settings.
- Choose the logs you want to stream, select the Send to Log Analytics workspace option, and complete the fields.
- Browse to Identity > Monitoring & health > Log Analytics and begin querying the data.
Monitor events with Microsoft Sentinel
Sending sign-in and audit logs to Microsoft Sentinel provides your security operations center with near real-time security detection and threat hunting. The term threat hunting refers to a proactive approach to improve the security posture of your environment. As opposed to classic protection, threat hunting tries to proactively identify potential threats that might harm your system. Your activity log data might be part of your threat hunting solution.
Recommended uses
We recommend using the real-time security detection capabilities of Microsoft Sentinel if your organization needs security analytics and threat intelligence. Use Microsoft Sentinel if you need to:
- Collect security data across your enterprise.
- Detect threats with vast threat intelligence.
- Investigate critical incidents guided by AI.
- Respond rapidly and automate protection.
Quick steps
- Learn about the prerequisites, roles, and permissions.
- Estimate potential costs.
- Onboard to Microsoft Sentinel.
- Collect Microsoft Entra data.
- Begin hunting for threats.
Export logs for storage and queries
The right solution for your long-term storage depends on your budget and what you plan on doing with the data. You've got three options:
- Archive logs to Azure Storage
- Download logs for manual storage
- Integrate logs with Azure Monitor logs
Azure Storage is the right solution if you aren't planning on querying your data often. For more information, see Archive directory logs to a storage account.
If you plan to query the logs often to run reports or perform analysis on the stored logs, you should integrate your data with Azure Monitor logs.
If your budget is tight, and you need a cheap method to create a long-term backup of your activity logs, you can manually download your logs. The user interface of the activity logs in the portal provides you with an option to download the data as JSON or CSV. One trade off of the manual download is that it requires more manual interaction. If you're looking for a more professional solution, use either Azure Storage or Azure Monitor.
Recommended uses
We recommend setting up a storage account to archive your activity logs for those governance and compliance scenarios where long-term storage is required.
If you want to long-term storage and you want to run queries against the data, review the section on integrating your activity logs with Azure Monitor Logs.
We recommend manually downloading and storing your activity logs if you have budgetary constraints.
Quick steps
Use the following basic steps to archive or download your activity logs.
- Sign in to the Microsoft Entra admin center as at least a Security Administrator.
- Create a storage account.
- Browse to Identity > Monitoring & health > Diagnostic settings.
- Choose the logs you want to stream, select the Archive to a storage account option, and complete the fields.