signIn resource type

Namespace: microsoft.graph

Details user and application sign-in activity for a tenant (directory). You must have a Microsoft Entra ID P1 or P2 license to download sign-in logs using the Microsoft Graph API.

The Microsoft Entra data retention policies govern the availability of sign-in logs.

Methods

Method Return Type Description
List signIn signIn Read properties and relationships of signIn objects.
Get signIn signIn Read properties and relationships of signIn object.

Properties

Property Type Description
appDisplayName String App name displayed in the Microsoft Entra admin center.

Supports $filter (eq, startsWith).
appId String Unique GUID representing the app ID in the Microsoft Entra ID.

Supports $filter (eq).
appliedConditionalAccessPolicies appliedConditionalAccessPolicy collection Provides a list of conditional access policies that are triggered by the corresponding sign-in activity. Apps need additional Conditional Access-related privileges to read the details of this property. For more information, see Viewing applied conditional access (CA) policies in sign-ins.
clientAppUsed String Identifies the client used for the sign-in activity. Modern authentication clients include Browser, modern clients. Legacy authentication clients include Exchange ActiveSync, IMAP, MAPI, SMTP, POP, and other clients.

Supports $filter (eq).
conditionalAccessStatus conditionalAccessStatus Reports status of an activated conditional access policy. Possible values are: success, failure, notApplied, and unknownFutureValue.

Supports $filter (eq).
correlationId String The request ID sent from the client when the sign-in is initiated; used to troubleshoot sign-in activity.

Supports $filter (eq).
createdDateTime DateTimeOffset Date and time (UTC) the sign-in was initiated. Example: midnight on Jan 1, 2014 is reported as 2014-01-01T00:00:00Z.

Supports $orderby, $filter (eq, le, and ge).
deviceDetail deviceDetail Device information from where the sign-in occurred; includes device ID, operating system, and browser.

Supports $filter (eq, startsWith) on browser and operatingSytem properties.
id String Unique ID representing the sign-in activity.

Supports $filter (eq).
ipAddress String IP address of the client used to sign in.

Supports $filter (eq, startsWith).
isInteractive Boolean Indicates if a sign-in is interactive or not.
location signInLocation Provides the city, state, and country code where the sign-in originated.

Supports $filter (eq, startsWith) on city, state, and countryOrRegion properties.
resourceDisplayName String Name of the resource the user signed into.

Supports $filter (eq).
resourceId String ID of the resource that the user signed into.

Supports $filter (eq).
riskDetail riskDetail Provides the 'reason' behind a specific state of a risky user, sign-in or a risk event. The possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, unknownFutureValue. The value none means that no action has been performed on the user or sign-in so far. Supports $filter (eq).
Note: Details for this property require a Microsoft Entra ID P2 license. Other licenses return the value hidden.
riskEventTypes riskEventType collection Risk event types associated with the sign-in. The possible values are: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, and unknownFutureValue.

Supports $filter (eq).
riskEventTypes_v2 String collection The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.

Supports $filter (eq, startsWith).
riskLevelAggregated riskLevel Aggregated risk level. The possible values are: none, low, medium, high, hidden, and unknownFutureValue. The value hidden means the user or sign-in wasn't enabled for Microsoft Entra ID Protection.

Supports $filter (eq).
Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned hidden.
riskLevelDuringSignIn riskLevel Risk level during sign-in. The possible values are: none, low, medium, high, hidden, and unknownFutureValue. The value hidden means the user or sign-in wasn't enabled for Microsoft Entra ID Protection.

Supports $filter (eq).
Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned hidden.
riskState riskState Reports status of the risky user, sign-in, or a risk event. The possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue.

Supports $filter (eq).
status signInStatus Sign-in status. Includes the error code and description of the error (if there's a sign-in failure).

Supports $filter (eq) on errorCode property.
userDisplayName String Display name of the user that initiated the sign-in.

Supports $filter (eq, startsWith).
userId String ID of the user that initiated the sign-in.

Supports $filter (eq).
userPrincipalName String User principal name of the user that initiated the sign-in.

Supports $filter (eq, startsWith).

Relationships

None

JSON representation

Here's a JSON representation of the resource.

{
  "id": "String (identifier)",
  "createdDateTime": "String (timestamp)",
  "appDisplayName": "String",
  "appId": "String",
  "ipAddress": "String",
  "clientAppUsed": "String",
  "correlationId": "String",
  "conditionalAccessStatus": "string",
  "appliedConditionalAccessPolicy": [{"@odata.type": "microsoft.graph.appliedConditionalAccessPolicy"}],
  "isInteractive": true,
  "deviceDetail": {"@odata.type": "microsoft.graph.deviceDetail"},
  "location": {"@odata.type": "microsoft.graph.signInLocation"},
  "riskDetail": "string",
  "riskLevelAggregated": "string",
  "riskLevelDuringSignIn": "string",
  "riskState": "string",
  "riskEventTypes": ["string"],
  "riskEventTypes_v2": ["String"],
  "resourceDisplayName": "string",
  "resourceId": "string",
  "status": {"@odata.type": "microsoft.graph.signInStatus"},
  "userDisplayName": "string",
  "userId": "string",
  "userPrincipalName": "string"
}