signIn resource type
Namespace: microsoft.graph
Details user and application sign-in activity for a tenant (directory). You must have a Microsoft Entra ID P1 or P2 license to download sign-in logs using the Microsoft Graph API.
The Microsoft Entra data retention policies govern the availability of sign-in logs.
Methods
| Method | Return Type | Description |
|---|---|---|
| List signIn | signIn | Read properties and relationships of signIn objects. |
| Get signIn | signIn | Read properties and relationships of signIn object. |
Properties
| Property | Type | Description |
|---|---|---|
| appDisplayName | String | App name displayed in the Microsoft Entra admin center. Supports $filter (eq, startsWith). |
| appId | String | Unique GUID representing the app ID in the Microsoft Entra ID. Supports $filter (eq). |
| appliedConditionalAccessPolicies | appliedConditionalAccessPolicy collection | Provides a list of conditional access policies that are triggered by the corresponding sign-in activity. Apps need additional Conditional Access-related privileges to read the details of this property. For more information, see Viewing applied conditional access (CA) policies in sign-ins. |
| clientAppUsed | String | Identifies the client used for the sign-in activity. Modern authentication clients include Browser, modern clients. Legacy authentication clients include Exchange ActiveSync, IMAP, MAPI, SMTP, POP, and other clients. Supports $filter (eq). |
| conditionalAccessStatus | conditionalAccessStatus | Reports status of an activated conditional access policy. Possible values are: success, failure, notApplied, and unknownFutureValue. Supports $filter (eq). |
| correlationId | String | The request ID sent from the client when the sign-in is initiated; used to troubleshoot sign-in activity. Supports $filter (eq). |
| createdDateTime | DateTimeOffset | Date and time (UTC) the sign-in was initiated. Example: midnight on Jan 1, 2014 is reported as 2014-01-01T00:00:00Z. Supports $orderby, $filter (eq, le, and ge). |
| deviceDetail | deviceDetail | Device information from where the sign-in occurred; includes device ID, operating system, and browser. Supports $filter (eq, startsWith) on browser and operatingSytem properties. |
| id | String | Unique ID representing the sign-in activity. Supports $filter (eq). |
| ipAddress | String | IP address of the client used to sign in. Supports $filter (eq, startsWith). |
| isInteractive | Boolean | Indicates if a sign-in is interactive or not. |
| location | signInLocation | Provides the city, state, and country code where the sign-in originated. Supports $filter (eq, startsWith) on city, state, and countryOrRegion properties. |
| resourceDisplayName | String | Name of the resource the user signed into. Supports $filter (eq). |
| resourceId | String | ID of the resource that the user signed into. Supports $filter (eq). |
| riskDetail | riskDetail | Provides the 'reason' behind a specific state of a risky user, sign-in or a risk event. The possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, unknownFutureValue. The value none means that no action has been performed on the user or sign-in so far. Supports $filter (eq).Note: Details for this property require a Microsoft Entra ID P2 license. Other licenses return the value hidden. |
| riskEventTypes | riskEventType collection | Risk event types associated with the sign-in. The possible values are: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, and unknownFutureValue. Supports $filter (eq). |
| riskEventTypes_v2 | String collection | The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue. Supports $filter (eq, startsWith). |
| riskLevelAggregated | riskLevel | Aggregated risk level. The possible values are: none, low, medium, high, hidden, and unknownFutureValue. The value hidden means the user or sign-in wasn't enabled for Microsoft Entra ID Protection. Supports $filter (eq). Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned hidden. |
| riskLevelDuringSignIn | riskLevel | Risk level during sign-in. The possible values are: none, low, medium, high, hidden, and unknownFutureValue. The value hidden means the user or sign-in wasn't enabled for Microsoft Entra ID Protection. Supports $filter (eq). Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned hidden. |
| riskState | riskState | Reports status of the risky user, sign-in, or a risk event. The possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. Supports $filter (eq). |
| status | signInStatus | Sign-in status. Includes the error code and description of the error (if there's a sign-in failure). Supports $filter (eq) on errorCode property. |
| userDisplayName | String | Display name of the user that initiated the sign-in. Supports $filter (eq, startsWith). |
| userId | String | ID of the user that initiated the sign-in. Supports $filter (eq). |
| userPrincipalName | String | User principal name of the user that initiated the sign-in. Supports $filter (eq, startsWith). |
Relationships
None
JSON representation
Here's a JSON representation of the resource.
{
"id": "String (identifier)",
"createdDateTime": "String (timestamp)",
"appDisplayName": "String",
"appId": "String",
"ipAddress": "String",
"clientAppUsed": "String",
"correlationId": "String",
"conditionalAccessStatus": "string",
"appliedConditionalAccessPolicy": [{"@odata.type": "microsoft.graph.appliedConditionalAccessPolicy"}],
"isInteractive": true,
"deviceDetail": {"@odata.type": "microsoft.graph.deviceDetail"},
"location": {"@odata.type": "microsoft.graph.signInLocation"},
"riskDetail": "string",
"riskLevelAggregated": "string",
"riskLevelDuringSignIn": "string",
"riskState": "string",
"riskEventTypes": ["string"],
"riskEventTypes_v2": ["String"],
"resourceDisplayName": "string",
"resourceId": "string",
"status": {"@odata.type": "microsoft.graph.signInStatus"},
"userDisplayName": "string",
"userId": "string",
"userPrincipalName": "string"
}
Feedback
Submit and view feedback for