Quickstart: Analyze sign-ins with the Microsoft Entra sign-in log
With the information in the Microsoft Entra sign-in log, you can figure out what happened if a sign-in of a user failed. This quickstart shows how to you can locate failed sign-in using the sign-in log.
To complete the scenario in this quickstart, you need:
- A Microsoft Entra tenant with a Premium P1 license
- A user with the Reports Reader, Security Reader, Security Administrator, or Global Administrator role for the tenant.
- A test account called Isabella Simonsen - If you don't know how to create a test account, see Add cloud-based users.
Perform a failed sign-in
The goal of this step is to create a record of a failed sign-in in the Microsoft Entra sign-in log.
Sign in to the Microsoft Entra admin center as Isabella Simonsen using an incorrect password.
Wait for 5 minutes to ensure that you can find the event in the sign-in log.
Find the failed sign-in
This section provides you with the steps to analyze a failed sign-in. Filter the sign-in log to remove all records that aren't relevant to your analysis. For example, set a filter to display only the records of a specific user. Then you can review the error details. The log details provide helpful information. You can also look up the error using the sign-in error lookup tool. This tool might provide you with information to troubleshoot a sign-in error.
Steps in this article may vary slightly based on the portal you start from.
Browse to Identity > Monitoring & health > Sign-in logs.
Adjust the filter to view only the records for Isabella Simonsen:
Open the Add filters, select User, and then select Apply.
In the User textbox, type Isabella Simonsen, and then select Apply.
Select the failed sign-in attempt and view the details.
Copy the Sign-in error code.
Paste the error code into the textbox of the sign-in error lookup tool, and then select Submit.
Review the outcome of the tool and determine whether it provides you with additional information.
Now, that you know how to find an entry in the sign-in log by name, you should also try to find the record using the following filters:
Date - Try to find Isabella using a Start and an End.
Status - Try to find Isabella using Status: Failure.
Clean up resources
When no longer needed, delete the test user. If you don't know how to delete a Microsoft Entra user, see Delete users from Microsoft Entra ID.