שתף באמצעות


View your access and usage reports

Updated: August 21, 2015

Applies To: Azure

Important

Please bear with us as we migrate this and other content to the Microsoft Azure website. This topic is no longer being updated and might become out of date. Please bookmark the updated Azure article on this subject, View your access and usage reports.

You can use Azure Active Directory’s access and usage reports to gain visibility into the integrity and security of your organization’s directory. With this information, a directory admin can better determine where possible security risks may lie so that they can adequately plan to mitigate those risks.

In the full Azure Management Portal, reports are categorized in the following ways:

  • Anomaly reports - Contain sign in events that we found to be anomalous. Our goal is to make you aware of such activity and enable you to be able to make a determination about whether an event is suspicious.

  • Integrated Application report – Provides insights into how cloud applications are being used in your organization. Azure Active Directory offers integration with thousands of cloud applications.

  • Error reports – Indicate errors that may occur when provisioning accounts to external applications.

  • User-specific reports – Display device/sign in activity data for a specific user.

  • Activity logs - Contain a record of all audited events within the last 24 hours, last 7 days, or last 30 days, as well as group activity changes, and password reset and registration activity.

Note

  • Some advanced anomaly and resource usage reports are only available when you enable Azure Active Directory editions. Advanced reports help you improve access security, respond to potential threats and get access to analytics on device access and application usage.

  • Azure Active Directory Premium and Basic editions are available for customers in China using the worldwide instance of Azure Active Directory. Azure Active Directory Premium and Basic editions are not currently supported in the Windows Azure service operated by 21Vianet in China. For more information, contact us at the Azure Active Directory Forum.

The following reports are used for monitoring directory-wide user sign ins to Azure Active Directory.

Report Description Report Location Available for free Available with Premium

                                                                     Category: Anomaly Reports

Sign ins from unknown sources

This report indicates users who have successfully signed in to your directory while assigned a client IP address that has been recognized by Microsoft as an anonymous proxy IP address. These proxies are often used by users that want to hide their computer’s IP address, and may be used for malicious intent – sometimes hackers use these proxies.

Results from this report will show the number of times a user successfully signed in to your directory from that address and the proxy’s IP address.

Found under the Directory > Reports tab


        Checklist


         Checklist

Sign ins after multiple failures

This report indicates users who have successfully signed in after multiple consecutive failed sign in attempts. Possible causes include:

  • User had forgotten their password

  • User is the victim of a successful password guessing brute force attack

Results from this report will show you the number of consecutive failed sign in attempts made prior to the successful sign in and a timestamp associated with the first successful sign in.

Report Settings: You can configure the minimum number of consecutive failed sign in attempts that must occur before it can be displayed in the report. When you make changes to this setting it is important to note that these changes will not be applied to any existing failed sign ins that currently show up in your existing report. However, they will be applied to all future sign ins. Changes to this report can only be made by licensed admins.

Found under the Directory > Reports tab


        Checklist


         Checklist

Sign ins from multiple geographies

This report includes successful sign in activities from a user where two sign ins appeared to originate from different regions and the time between the sign ins makes it impossible for the user to have travelled between those regions. Possible causes include:

  • User is sharing their password

  • User is using a remote desktop to launch a web browser for sign in

  • A hacker has signed in to the account of a user from a different country.

Results from this report will show you the successful sign in events, together with the time between the sign ins, the regions where the sign ins appeared to originate from and the estimated travel time between those regions.

noteNote
The travel time shown is only an estimate and may be different from the actual travel time between the locations. Also, no events are generated for sign ins between neighboring regions.

Found under the Directory > Reports tab


        Checklist


         Checklist

Sign ins from IP addresses with suspicious activity

This report includes sign in attempts that have been executed from IP addresses where suspicious activity has been noted. Suspicious activity includes many failed sign in attempts from the same IP address over a short period of time, and other activity that was deemed suspicious. This may indicate that a hacker has been trying to sign in from this IP address.

Results from this report will show you sign in attempts that were originated from an IP address where suspicious activity was noted, together with the timestamp associated with the sign in.

Found under the Directory > Reports tab


         Checklist

Anomalous sign in activity

This report includes sign ins that have been identified as “anomalous” by our machine learning algorithms. Reasons for marking a sign in attempt as irregular include unexpected sign in locations, time of day and locations or a combination of these. This may indicate that a hacker has been trying to sign in using this account. The machine learning algorithm classifies events as “anomalous” or “suspicious”, where “suspicious” indicates a higher likelihood of a security breach.

Results from this report will show you these sign ins, together with the classification, location and a timestamp associated with each sign in.

noteNote
We will send an email notification to the global admins if we encounter 10 or more anomalous sign in events within a span of 30 days or less. Please be sure to include aad-alerts-noreply@mail.windowsazure.com in your safe senders list.

Found under the Directory > Reports tab


         Checklist

Sign ins from possibly infected devices

Use this report when you want to see sign ins from devices on which some malware (malicious software) may be running. We correlate IP addresses of sign ins against IP addresses from which an attempt was made to contact a malware server.

Recommendation: Since this report assumes an IP address was associated with the same device in both cases, we recommend that you contact the user and scan the user's device to be certain.

For more information about how to address malware infections, see the Malware Protection Center.

Found under the Directory > Reports tab


         Checklist

Users with anomalous sign in activity

Use this report when you want to view all user accounts for which anomalous sign in activity has been identified. This report includes data from all other anomalous activity reports. Results from this report will show you details about the user, the reason why the sign in event was identified as anomalous, the date and time, and other relevant information about the event.

Found under the Directory > Reports tab


         Checklist

                                                                     Category: Integrated Application Reports

Application usage: summary

Use this report when you want to see usage for all the SaaS applications in your directory. This report is based on the number of times users have clicked on the application in the Access Panel.

Found under the Directory > Reports tab


         Checklist

Application usage: detailed

Use this report when you want to see how much a specific SaaS application is being used. This report is based on the number of times users have clicked on the application in the Access Panel.

Found under the Directory > Reports tab


         Checklist

Application dashboard

This report indicates cumulative sign ins to the application by users in your organization, over a selected time interval. The chart on the dashboard page will help you identify trends for all usage of that application.

Found under the Directory > Application > Dashboard tab


        Checklist


         Checklist

                                                                     Category: Error Reports

Account provisioning errors

Use this to monitor errors that occur during the synchronization of accounts from SaaS applications to Azure Active Directory.

Found under the Directory > Reports tab


        Checklist


         Checklist

                                                                     Category: User-specific Reports

Devices

Use this report when you want to see the IP address and geographical location of devices that a specific user has used to access Azure Active Directory.

Found under the Directory > User > Devices tab


         Checklist

Activity

Use this report when you want to see the sign in activity for a user. The report includes information like the application signed into, device used, IP address, and location. We do not collect the history for users that sign in with a Microsoft account.

Found under the Directory > User > Activity tab


        Checklist


         Checklist

                                                                     Category: Activity logs

Audit report

Use this report when you want to see a record of all audited events within the last 24 hours, last 7 days, or last 30 days. The report includes events in the following categories:

  • Credential updates

  • Device management

  • Directory synchronization

  • Domain management

  • Group management

  • Partner administration

  • Policy management (MFA)

  • Role changes

  • User account changes

  • User licensing

  • User, group, and contact management

Found under the Directory > Reports tab


         Checklist


         Checklist

Groups activity report

You can use this report when you want to see all activity for the self-service managed groups in your directory. This report is only available when you enable Azure Active Directory Premium.

Found under the Directory > Reports tab


         Checklist

Password reset registration activity report

The password reset registration activity report shows all password reset registrations that have occurred in your organization.

Found under the Directory > Reports tab


         Checklist

Password reset activity

The password reset activity report shows all password reset attempts that have occurred in your organization.

Found under the Directory > Reports tab


         Checklist

Things to consider if you suspect a security breach

If you suspect that a user account may be compromised or any kind of suspicious user activity that may lead to a security breach of your directory data in the cloud, you may want to consider one or more of the following actions:

View or download a report

Use the following procedure to view and/or download the most applicable report for your specific needs.

Note

The number of results that will be shown after running any of our access and usage reports is currently limited to display, or to download, only the 1000 most recent records. At this time there is no way to retrieve any results past 1000. This article will be updated once a solution for this limitation has been removed.

  1. In the Azure Management Portal, click Active Directory, click on the name of your organization’s directory, and then click Reports.

  2. On the Reports page, click the report you want to view and/or download.

    Note

    If this is the first time you have used the reporting feature of Azure Active Directory, you will see a message to Opt In. If you agree, click the check mark icon to continue.

  3. Click the drop-down menu next to Interval, and then select one of the following time ranges that should be used when generating this report:

    • Last 24 hours

    • Last 7 days

    • Last 30 days

  4. Click the check mark icon to run the report.

  5. If applicable, click Download to download the report to a compressed file in Comma Separated Values (CSV) format for offline viewing or archiving purposes.

Ignore an event

If you are viewing any anomaly reports, you may notice that you can ignore various events that show up in related reports. To ignore an event, simply highlight the event in the report and then click Ignore. The Ignore button will permanently remove the highlighted event from the report and can only be used by licensed global admins.

Automatic email notifications

What reports generate an email notification?

At this time, only the Anomalous Sign In Activity report and the Users with Anomalous Sign In Activity report are using the email notification system.

What triggers the email notification to be sent?

By default, Azure Active Directory is set to automatically send email notifications to all global admins. The email is sent under the following conditions for each report.

For the Anomalous Sign In Activity report:

  • Unknown sources: 10 events

  • Multiple failures: 10 events

  • IP addresses with suspicious activity: 10 events

  • Infected devices: 10 events

For the Users with Anomalous Sign In Activity report:

  • Unknown sources: 10 events

  • Multiple failures: 10 events

  • IP addresses with suspicious activity: 10 events

  • Infected devices: 5 events

  • Anomalous sign ins report: 15 events

The email is sent if any of the above conditions is met within 30 days, or since the last email was sent if it is less than 30 days.

Anomalous Sign Ins are those that have been identified as “anomalous” by our machine learning algorithms, on the basis of unexpected sign in locations, time of day and locations or a combination of these. This may indicate that a hacker has been trying to sign in using this account. More information about this report can be found in the table above.

Who receives the email notifications?

The email is sent to all global admins who have been assigned an Active Directory Premium license. To ensure it is delivered, we send it to the admins Alternate Email Address as well. Admins should include aad-alerts-noreply@mail.windowsazure.com in their safe senders list so they don’t miss the email.

How often are these emails sent?

Once an email is sent, the next one will be sent only when 10 or more new Anomalous Sign In events are encountered within 30 days of sending that email. How do I access the report mentioned in the email?

When you click on the link, you will be redirected to the report page within the Azure Management Portal. In order to access the report, you need to be both:

  • An admin or co-admin of your Azure subscription

  • A global administrator in the directory, and assigned an Active Directory Premium license. For more information, see Azure Active Directory editions.

Can I turn off these emails?

Yes, to turn off notifications related to anomalous sign ins within the Azure Management Portal, click Configure, and then select Disabled under the Notifications section.