AADSpnSignInEventsBeta
Applies to:
- Microsoft Defender XDR
Important
The AADSpnSignInEventsBeta table is currently in beta and is being offered on a short-term basis to allow you to hunt through Microsoft Entra sign-in events. Customers need to have a Microsoft Entra ID P2 license to collect and view activities for this table. Microsoft will eventually move all sign-in schema information to the IdentityLogonEvents table.
The AADSpnSignInEventsBeta table in the advanced hunting schema contains information about Microsoft Entra service principal and managed identity sign-ins. You can learn more about the different kinds of sign-ins in Microsoft Entra sign-in activity reports - preview.
Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| Column name | Data type | Description |
|---|---|---|
Timestamp |
datetime |
Date and time when the record was generated |
Application |
string |
Application that performed the recorded action |
ApplicationId |
string |
Unique identifier for the application |
IsManagedIdentity |
boolean |
Indicates whether the sign-in was initiated by a managed identity |
ErrorCode |
int |
Contains the error code if a sign-in error occurs. To find a description of a specific error code, visit https://aka.ms/AADsigninsErrorCodes. |
CorrelationId |
string |
Unique identifier of the sign-in event |
ServicePrincipalName |
string |
Name of the service principal that initiated the sign-in |
ServicePrincipalId |
string |
Unique identifier of the service principal that initiated the sign-in |
ResourceDisplayName |
string |
Display name of the resource accessed. The display name can contain any character. |
ResourceId |
string |
Unique identifier of the resource accessed |
ResourceTenantId |
string |
Unique identifier of the tenant of the resource accessed |
IPAddress |
string |
IP address assigned to the endpoint and used during related network communications |
Country |
string |
Two-letter code indicating the country where the client IP address is geolocated |
State |
string |
State where the sign-in occurred, if available |
City |
string |
City where the account user is located |
Latitude |
string |
The north to south coordinates of the sign-in location |
Longitude |
string |
The east to west coordinates of the sign-in location |
RequestId |
string |
Unique identifier of the request |
ReportId |
string |
Unique identifier for the event |
Related articles
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.