What are Microsoft Entra sign-in logs?

Microsoft Entra logs all sign-ins into a Microsoft Entra tenant, which includes your internal apps and resources. As an IT administrator, you need to know what the values in the sign-in logs mean, so that you can interpret the log values correctly.

Reviewing sign-in errors and patterns provides valuable insight into how your users access applications and services. The sign-in logs provided by Microsoft Entra ID are a powerful type of activity log that you can analyze. This article describes several key aspects of the sign-in logs.

Two other activity logs are also available to help monitor the health of your tenant:

  • Audit – Information about changes applied to your tenant, such as users and group management or updates applied to your tenant’s resources.
  • Provisioning – Activities performed by a provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.

License and role requirements

The required roles and licenses vary based on the report. Separate permissions are required to access monitoring and health data in Microsoft Graph. We recommend using a role with least privilege access to align with the Zero Trust guidance. For a full list of roles, see Least privileged roles by task.

Log / Report Roles Licenses
Audit logs Reports Reader
Security Reader
Security Administrator
All editions of Microsoft Entra ID
Sign-in logs Reports Reader
Security Reader
Security Administrator
All editions of Microsoft Entra ID
Provisioning logs Reports Reader
Security Reader
Application Administrator
Cloud App Administrator
Microsoft Entra ID P1 or P2
Custom security attribute audit logs* Attribute Log Administrator
Attribute Log Reader
All editions of Microsoft Entra ID
Health Reports Reader
Security Reader
Helpdesk Administrator
Microsoft Entra ID P1 or P2
Microsoft Entra ID Protection** Security Administrator
Security Operator
Security Reader
Global Reader
Microsoft Entra ID Free
Microsoft 365 Apps
Microsoft Entra ID P1 or P2
Microsoft Graph activity logs Security Administrator
Permissions to access data in the corresponding log destination
Microsoft Entra ID P1 or P2
Usage and insights Reports Reader
Security Reader
Security Administrator
Microsoft Entra ID P1 or P2

*Viewing the custom security attributes in the audit logs or creating diagnostic settings for custom security attributes requires one of the Attribute Log roles. You also need the appropriate role to view the standard audit logs.

**The level of access and capabilities for Microsoft Entra ID Protection varies with the role and license. For more information, see the license requirements for ID Protection.

What can you do with sign-in logs?

You can use the sign-in logs to answer questions such as:

  • How many users signed into a particular application this week?
  • How many failed sign-in attempts occurred in the last 24 hours?
  • Are users signing in from specific browsers or operating systems?
  • Which of my Azure resources were accessed by managed identities and service principals?

You can also describe the activity associated with a sign-in request by identifying the following details:

  • Who – The identity (User) performing the sign-in.
  • How – The client (Application) used for the sign-in.
  • What – The target (Resource) accessed by the identity.

How do you access the sign-in logs?

There are several ways to access the logs, depending on your needs. For more information, see How to access activity logs.

To view the sign-in logs from the Microsoft Entra admin center:

  1. Sign in to the Microsoft Entra admin center as at least a Reports Reader.
  2. Browse to Identity> Monitoring & health > Sign-in logs.

To more effectively use the sign-in logs in the Microsoft Entra admin center, adjust the filters to only view a specific set of logs. For more information, see Filter sign-in logs.

What are the types of sign-in logs?

There are four types of logs in the sign-in logs preview:

The classic sign-in logs only include interactive user sign-ins.

Note

Entries in the sign-in logs are system generated and can't be changed or deleted.

Sign-in data used by other services

Sign-in data is used by several services in Azure and Microsoft Entra to monitor risky sign-ins, provide insight into application usage, and more.

Microsoft Entra ID Protection

Sign-in log data visualization that relates to risky sign-ins is available in the Microsoft Entra ID Protection overview, which uses the following data:

  • Risky users
  • Risky user sign-ins
  • Risky workload identities

For more information about the Microsoft Entra ID Protection tools, see the Microsoft Entra ID Protection overview.

Microsoft Entra Usage and insights

To view application-specific sign-in data, browse to Microsoft Entra ID > Monitoring & health > Usage & insights. These reports provide a closer look at sign-ins for Microsoft Entra application activity and AD FS application activity. For more information, see Microsoft Entra Usage & insights.

Screenshot of the Usage & insights report.

There are several reports available in Usage & insights. Some of these reports are in preview.

  • Microsoft Entra application activity (preview)
  • AD FS application activity
  • Authentication methods activity
  • Service principal sign-in activity
  • Application credential activity

Microsoft 365 activity logs

You can view Microsoft 365 activity logs from the Microsoft 365 admin center. Microsoft 365 activity and Microsoft Entra activity logs share a significant number of directory resources. Only the Microsoft 365 admin center provides a full view of the Microsoft 365 activity logs.

You can access the Microsoft 365 activity logs programmatically by using the Office 365 Management APIs.