Bewerken

Delen via


signIn resource type

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Provides details about user or application sign-in activity in your directory. You must have a Microsoft Entra ID P1 or P2 license to download sign-in logs using the Microsoft Graph API.

The Microsoft Entra data retention policies govern the availability of sign-in logs.

Note

This API returns only interactive sign-ins unless you set an explicit filter. For example, the filter for getting non-interactive sign-ins is https://graph.microsoft.com/beta/auditLogs/signIns?&$filter=signInEventTypes/any(t: t eq 'nonInteractiveUser').

Methods

Method Return Type Description
List signIn Read properties and relationships of signIn objects.
Get signIn Read properties and relationships of a signIn object.
Confirm compromised None Mark an event in the Microsoft Entra sign-in logs as risky.
Confirm safe None mark an event in Microsoft Entra sign-in logs as safe.

Properties

Property Type Description
appDisplayName String The application name displayed in the Microsoft Entra admin center.

Supports $filter (eq, startsWith).
appId String The application identifier in Microsoft Entra ID.

Supports $filter (eq).
appliedConditionalAccessPolicies appliedConditionalAccessPolicy collection A list of conditional access policies that the corresponding sign-in activity triggers. Apps need more Conditional Access-related privileges to read the details of this property. For more information, see Permissions for viewing applied conditional access (CA) policies in sign-ins.
appliedEventListeners appliedAuthenticationEventListener collection Detailed information about the listeners, such as Azure Logic Apps and Azure Functions, which the corresponding events in the sign-in event triggered.
appTokenProtectionStatus tokenProtectionStatus Token protection creates a cryptographically secure tie between the token and the device it's issued to. This field indicates whether the app token was bound to the device.
authenticationAppDeviceDetails authenticationAppDeviceDetails Provides details about the app and device used during a Microsoft Entra authentication step.
authenticationAppPolicyEvaluationDetails authenticationAppPolicyDetails collection Provides details of the Microsoft Entra policies applied to a user and client authentication app during an authentication step.
authenticationContextClassReferences authenticationContext collection Contains a collection of values that represent the conditional access authentication contexts applied to the sign-in.
authenticationDetails authenticationDetail collection The result of the authentication attempt and more details on the authentication method.
authenticationMethodsUsed String collection The authentication methods used. Possible values: SMS, Authenticator App, App Verification code, Password, FIDO, PTA, or PHS.
authenticationProcessingDetails keyValue collection More authentication processing details, such as the agent name for PTA and PHS, or a server or farm name for federated authentication.
authenticationProtocol protocolType Lists the protocol type or grant type used in the authentication. The possible values are: none, oAuth2, ropc, wsFederation, saml20, deviceCode, unknownFutureValue, authenticationTransfer, nativeAuth. Use none for all authentications that don't have a specific value in that list. You must use the Prefer: include-unknown-enum-members request header to get the following values in this evolvable enum: authenticationTransfer, nativeAuth.
authenticationRequirement String This holds the highest level of authentication needed through all the sign-in steps, for sign-in to succeed.

Supports $filter (eq, startsWith).
authenticationRequirementPolicies authenticationRequirementPolicy collection Sources of authentication requirement, such as conditional access, per-user MFA, identity protection, and security defaults.
autonomousSystemNumber Int32 The Autonomous System Number (ASN) of the network used by the actor.
azureResourceId String Contains a fully qualified Azure Resource Manager ID of an Azure resource accessed during the sign-in.
clientAppUsed String The legacy client used for sign-in activity. For example: Browser, Exchange ActiveSync, Modern clients, IMAP, MAPI, SMTP, or POP.

Supports $filter (eq).
clientCredentialType clientCredentialType Describes the credential type that a user client or service principal provided to Microsoft Entra ID to authenticate itself. You can review this property to track and eliminate less secure credential types or to watch for clients and service principals using anomalous credential types. The possible values are: none, clientSecret, clientAssertion, federatedIdentityCredential, managedIdentity, certificate, unknownFutureValue.
conditionalAccessAudiences String A list that indicates the audience that Conditional Access evaluated during a sign-in event.

Supports $filter (eq).
conditionalAccessStatus conditionalAccessStatus The status of the conditional access policy triggered. Possible values: success, failure, notApplied, or unknownFutureValue.

Supports $filter (eq).
correlationId String The identifier the client sends when sign-in is initiated. This property is used for troubleshooting the corresponding sign-in activity when calling for support.

Supports $filter (eq).
createdDateTime DateTimeOffset The date and time the sign-in was initiated. The Timestamp type is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.

Supports $orderby, $filter (eq, le, and ge).
crossTenantAccessType signInAccessType Describes the type of cross-tenant access used by the actor to access the resource. Possible values are: none, b2bCollaboration, b2bDirectConnect, microsoftSupport, serviceProvider, unknownFutureValue, passthrough. Also, you must use the Prefer: include-unknown-enum-members request header to get the following value or values in this evolvable enum: passthrough. If the sign in didn't cross tenant boundaries, the value is none.
deviceDetail deviceDetail The device information from where the sign-in occurred. Includes information such as deviceId, OS, and browser.

Supports $filter (eq, startsWith) on browser and operatingSystem properties.
federatedCredentialId String Contains the identifier of an application's federated identity credential, if a federated identity credential was used to sign in.
flaggedForReview Boolean During a failed sign-in, a user can select a button in the Azure portal to mark the failed event for tenant admins. If a user selects the button to flag the failed sign-in, this value is true.
globalSecureAccessIpAddress String The Global Secure Access IP address that the sign-in was initiated from.
homeTenantId String The tenant identifier of the user initiating the sign-in. Not applicable in Managed Identity or service principal sign ins.
homeTenantName String For user sign ins, the identifier of the tenant that the user is a member of. Only populated in cases where the home tenant provides affirmative consent to Microsoft Entra ID to show the tenant content.
id String The identifier representing the sign-in activity. Inherited from entity.

Supports $filter (eq).
incomingTokenType incomingTokenType Indicates the token types that were presented to Microsoft Entra ID to authenticate the actor in the sign in. The possible values are: none, primaryRefreshToken, saml11, saml20, unknownFutureValue, remoteDesktopToken, refreshToken.

NOTE Microsoft Entra ID might have also used token types not listed in this enum type to authenticate the actor. Don't infer the lack of a token if it isn't one of the types listed. Also, you must use the Prefer: include-unknown-enum-members request header to get the following value or values in this evolvable enum: remoteDesktopToken, refreshToken.
ipAddress String The IP address of the client from where the sign-in occurred.

Supports $filter (eq, startsWith).
ipAddressFromResourceProvider String The IP address a user used to reach a resource provider, used to determine Conditional Access compliance for some policies. For example, when a user interacts with Exchange Online, the IP address that Microsoft Exchange receives from the user can be recorded here. This value is often null.
isInteractive Boolean Indicates whether a user sign in is interactive. In interactive sign in, the user provides an authentication factor to Microsoft Entra ID. These factors include passwords, responses to MFA challenges, biometric factors, or QR codes that a user provides to Microsoft Entra ID or an associated app. In non-interactive sign in, the user doesn't provide an authentication factor. Instead, the client app uses a token or code to authenticate or access a resource on behalf of a user. Non-interactive sign ins are commonly used for a client to sign in on a user's behalf in a process transparent to the user.
isTenantRestricted Boolean Shows whether the sign in event was subject to a Microsoft Entra tenant restriction policy.
isThroughGlobalSecureAccess Boolean Indicates whether a user came through Global Secure Access service.
location signInLocation The city, state, and two letter country code from where the sign-in occurred.

Supports $filter (eq, startsWith) on city, state, and countryOrRegion properties.
managedServiceIdentity managedIdentity Contains information about the managed identity used for the sign in, including its type, associated Azure Resource Manager (ARM) resource ID, and federated token information.
networkLocationDetails networkLocationDetail collection The network location details including the type of network used and its names.
originalRequestId String The request identifier of the first request in the authentication sequence.

Supports $filter (eq).
originalTransferMethod originalTransferMethods Transfer method used to initiate a session throughout all subsequent request. The possible values are: none, deviceCodeFlow, authenticationTransfer, unknownFutureValue.
privateLinkDetails privateLinkDetails Contains information about the Microsoft Entra Private Link policy that is associated with the sign in event.
processingTimeInMilliseconds Int The request processing time in milliseconds in AD STS.
resourceDisplayName String The name of the resource that the user signed in to.

Supports $filter (eq).
resourceId String The identifier of the resource that the user signed in to.

Supports $filter (eq).
resourceServicePrincipalId String The identifier of the service principal representing the target resource in the sign-in event.
resourceTenantId String The tenant identifier of the resource referenced in the sign in.
riskDetail riskDetail The reason behind a specific state of a risky user, sign-in, or a risk event. The possible values are none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue, adminConfirmedServicePrincipalCompromised, adminDismissedAllRiskForServicePrincipal, m365DAdminDismissedDetection, userChangedPasswordOnPremises, adminDismissedRiskForSignIn, adminConfirmedAccountSafe. You must use the Prefer: include-unknown-enum-members request header to get the following value or values in this evolvable enum: adminConfirmedServicePrincipalCompromised, adminDismissedAllRiskForServicePrincipal, m365DAdminDismissedDetection, userChangedPasswordOnPremises, adminDismissedRiskForSignIn, adminConfirmedAccountSafe.The value none means that Microsoft Entra risk detection hasn't flagged the user or the sign-in as a risky event so far.

Supports $filter (eq).
Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned hidden.
riskEventTypes_v2 String collection The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.

Supports $filter (eq, startsWith).
riskLevelAggregated riskLevel The aggregated risk level. Possible values: none, low, medium, high, hidden, or unknownFutureValue. The value hidden means the user or sign-in wasn't enabled for Microsoft Entra ID Protection.

Supports $filter (eq).
Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned hidden.
riskLevelDuringSignIn riskLevel The risk level during sign-in. Possible values: none, low, medium, high, hidden, or unknownFutureValue. The value hidden means the user or sign-in wasn't enabled for Microsoft Entra ID Protection.

Supports $filter (eq).
Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned hidden.
riskState riskState The risk state of a risky user, sign-in, or a risk event. Possible values: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, or unknownFutureValue.

Supports $filter (eq).
servicePrincipalCredentialKeyId String The unique identifier of the key credential used by the service principal to authenticate.
servicePrincipalCredentialThumbprint String The certificate thumbprint of the certificate used by the service principal to authenticate.
servicePrincipalId String The application identifier used for sign-in. This field is populated when you're signing in using an application.

Supports $filter (eq, startsWith).
servicePrincipalName String The application name used for sign-in. This field is populated when you're signing in using an application.

Supports $filter (eq, startsWith).
sessionLifetimePolicies sessionLifetimePolicy collection Any conditional access session management policies that were applied during the sign-in event.
signInEventTypes String collection Indicates the category of sign in that the event represents. For user sign ins, the category can be interactiveUser or nonInteractiveUser and corresponds to the value for the isInteractive property on the signin resource. For managed identity sign ins, the category is managedIdentity. For service principal sign-ins, the category is servicePrincipal. Possible values are: interactiveUser, nonInteractiveUser, servicePrincipal, managedIdentity, unknownFutureValue.

Supports $filter (eq, ne).
signInIdentifier String The identification that the user provided to sign in. It can be the userPrincipalName, but is also populated when a user signs in using other identifiers.
signInIdentifierType signInIdentifierType The type of sign in identifier. Possible values are: userPrincipalName, phoneNumber, proxyAddress, qrCode, onPremisesUserPrincipalName, unknownFutureValue.
signInTokenProtectionStatus tokenProtectionStatus Token protection creates a cryptographically secure tie between the token and the device it's issued to. This field indicates whether the signin token was bound to the device or not. The possible values are: none, bound, unbound, unknownFutureValue.
status signInStatus The sign-in status. Includes the error code and description of the error (for a sign-in failure).

Supports $filter (eq) on errorCode property.
tokenIssuerName String The name of the identity provider. For example, sts.microsoft.com.

Supports $filter (eq).
tokenIssuerType tokenIssuerType The type of identity provider. The possible values are: AzureAD, ADFederationServices, UnknownFutureValue, AzureADBackupAuth, ADFederationServicesMFAAdapter, NPSExtension. You must use the Prefer: include-unknown-enum-members request header to get the following values in this evolvable enum: AzureADBackupAuth , ADFederationServicesMFAAdapter , NPSExtension.
uniqueTokenIdentifier String A unique base64 encoded request identifier used to track tokens issued by Microsoft Entra ID as they're redeemed at resource providers.
userAgent String The user agent information related to sign-in.

Supports $filter (eq, startsWith).
userDisplayName String The display name of the user.

Supports $filter (eq, startsWith).
userId String The identifier of the user.

Supports $filter (eq).
userPrincipalName String User principal name of the user that initiated the sign-in. This value is always in lowercase. For guest users whose values in the user object typically contain #EXT# before the domain part, this property stores the value in both lowercase and the "true" format. For example, while the user object stores AdeleVance_fabrikam.com#EXT#@contoso.com, the sign-in logs store adelevance@fabrikam.com.

Supports $filter (eq, startsWith).
userType signInUserType Identifies whether the user is a member or guest in the tenant. Possible values are: member, guest, unknownFutureValue.
mfaDetail (deprecated) mfaDetail This property is deprecated.

Relationships

None

JSON representation

The following JSON representation shows the resource type.

{
  "@odata.type": "#microsoft.graph.signIn",
  "appDisplayName": "String",
  "appId": "String",
  "authenticationContextClassReferences": [{"@odata.type": "microsoft.graph.authenticationContext"}],
  "appliedConditionalAccessPolicies": [
    {
      "@odata.type": "microsoft.graph.appliedConditionalAccessPolicy"
    }
  ],
  "appliedEventListeners": [
    {
      "@odata.type": "microsoft.graph.appliedAuthenticationEventListener"
    }
  ],
  "appTokenProtectionStatus": {
      "@odata.type": "microsoft.graph.tokenProtectionStatus"
  },
  "authenticationAppDeviceDetails": {
      "@odata.type": "microsoft.graph.authenticationAppDeviceDetails"
  },
  "authenticationAppPolicyEvaluationDetails": [
    {
      "@odata.type": "microsoft.graph.authenticationAppPolicyDetails"
    }
  ],
  "authenticationDetails": [
    {
      "@odata.type": "microsoft.graph.authenticationDetail"
    }
  ],
  "authenticationMethodsUsed": [
    "String"
  ],
  "authenticationProcessingDetails": [
    {
      "@odata.type": "microsoft.graph.keyValue"
    }
  ],
  "authenticationRequirement": "String",
  "authenticationRequirementPolicies": [
    {
      "@odata.type": "microsoft.graph.authenticationRequirementPolicy"
    }
  ],
  "autonomousSystemNumber": "Integer",
  "azureResourceId": "String",
  "clientAppUsed": "String",
  "conditionalAccessStatus": "String",
  "correlationId": "String",
  "createdDateTime": "String (timestamp)",
  "crossTenantAccessType": "String",
  "deviceDetail": {
    "@odata.type": "microsoft.graph.deviceDetail"
  },
  "federatedCredentialId": "String",
  "flaggedForReview": "Boolean",
  "id": "String (identifier)",
  "homeTenantId": "String",
  "homeTenantName": "String",
  "isInteractive": "Boolean",
  "isTenantRestricted": "Boolean",
  "ipAddress": "String",
  "ipAddressFromResourceProvider": "String",
  "location": {
    "@odata.type": "microsoft.graph.signInLocation"
  },
  "mfaDetail": {
    "@odata.type": "microsoft.graph.mfaDetail"
  },
  "networkLocationDetails": [
    {
      "@odata.type": "microsoft.graph.networkLocationDetail"
    }
  ],
  "originalRequestId": "String",
  "originalTransferMethod": "String",
  "privateLinkDetails": {
    "@odata.type": "microsoft.graph.privateLinkDetails"
  },
  "processingTimeInMilliseconds": "Integer",
  "riskDetail": "String",
  "riskEventTypes_v2": [
    "String"
  ],
  "riskLevelAggregated": "String",
  "riskLevelDuringSignIn": "String",
  "riskState": "String",
  "resourceDisplayName": "String",
  "resourceId": "String",
  "resourceTenantId": "String",
  "servicePrincipalCredentialKeyId": "String",
  "servicePrincipalCredentialThumbprint": "String",
  "servicePrincipalId": "String",
  "servicePrincipalName": "String",
  "sessionLifetimePolicies": [{"@odata.type": "microsoft.graph.sessionLifetimePolicy"}],
  "signInEventTypes": [
    "String"
  ],
  "signInIdentifier": "String",
  "signInIdentifierType": "String",
  "signInTokenProtectionStatus": "String",
  "status": {
    "@odata.type": "microsoft.graph.signInStatus"
  },
  "tokenIssuerName": "String",
  "tokenIssuerType": "String",
  "userAgent": "String",
  "userDisplayName": "String",
  "userId": "String",
  "userPrincipalName": "String",
  "userType": "String"
}