Sign-in logs

Microsoft Entra ID emits sign-in logs containing activity information. Each sign-in attempt contains details associated with those three main components: Who: The identity (User) doing the sign-in. How: The client (Application) used for the access. And What: The target (Resource) accessed by the identity. You can use the sign-in logs to answer questions such as: How many users signed into a particular application this week? How many failed sign-in attempts occurred in the last 24 hours? Are users signing in from specific browsers or operating systems?

Prerequisites

Before you start make sure you have configured the following:
  1. Create a tenant and add admin accounts
  2. Register a web application
  3. Create a user flow

Sign-in to the Microsoft Entra admin center and browse to Monitoring & health > Sign-in logs. Then, search and select one of the sign-in log entry.

The Activity Details: Sign-ins provides details associated with a sign-in attempt. In the following example, the user couldn't sign-in since the account is disabled.

Dependencies

This script is self-contained.

1. Sign-in logs

Retrieve the Microsoft Entra user sign-ins for your tenant with the following command:
 
GET https://graph.microsoft.com/v1.0/auditLogs/signIns
Connect-MgGraph -Scopes "AuditLog.Read.All Directory.Read.All"
Get-MgAuditLogSignIn
 
1.1 [Optinal] Filter sign-in logs
You can filter the sign-in logs. For example, list all sign-ins during a specific time period. For example:
 
GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime ge 2024-07-01T00:00:00Z and createdDateTime le 2024-07-14T23:59:59Z
Connect-MgGraph -Scopes "AuditLog.Read.All Directory.Read.All"
Get-MgAuditLogSignIn -Filter "createdDateTime ge 2024-07-01T00:00:00Z and createdDateTime le 2024-07-14T23:59:59Z"
 

2. Investigate the sign-in log

The response provides a collection of details associated with sign-in attempts. In the following example, the user couldn't sign-in since the account is disabled.
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#auditLogs/signIns",
    "@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET auditLogs/signIns?$select=appDisplayName,appId",
    "value": [
        {
            "id": "b6c405bf-816b-4c88-b7a4-9af5f79d0200",
            "createdDateTime": "2024-07-24T06:55:43Z",
            "userDisplayName": "Yoel Horvitz",
            "userPrincipalName": "75b523ca-d064-4ddf-80af-87738f504026@wggdemo.onmicrosoft.com",
            "userId": "75b523ca-d064-4ddf-80af-87738f504026",
            "appId": "10f90284-3ee4-4e82-a641-55cc4068b633",
            "appDisplayName": "Woodgrove Groceries",
            "ipAddress": "**.**.**.***",
            "clientAppUsed": "Browser",
            "correlationId": "366f7c67-19a6-404d-ac87-2bfc4919ac1e",
            "conditionalAccessStatus": "success",
            "isInteractive": true,
            "riskDetail": "hidden",
            "riskLevelAggregated": "hidden",
            "riskLevelDuringSignIn": "hidden",
            "riskState": "none",
            "riskEventTypes": [],
            "riskEventTypes_v2": [],
            "resourceDisplayName": "Microsoft Graph",
            "resourceId": "00000003-0000-0000-c000-000000000000",
            "status": {
                "errorCode": 50057,
                "failureReason": "The user account is disabled.",
                "additionalDetails": "https://learn.microsoft.com/troubleshoot/azure/entra/entra-id/app-integration/error-code-aadsts50057-user-account-is-disabled"
            },
            "deviceDetail": {
                "deviceId": "",
                "displayName": "",
                "operatingSystem": "Windows10",
                "browser": "Edge 126.0.0",
                "isCompliant": false,
                "isManaged": false,
                "trustType": ""
            },
            "location": {
                "city": "Chicago",
                "state": "Illinois",
                "countryOrRegion": "US",
                "geoCoordinates": {
                    "altitude": null,
                    "latitude": 12.3456,
                    "longitude": 12.3456
                }
            },
            "appliedConditionalAccessPolicies": []
        },
        {
            "id": "7ce4644d-2280-48ba-b1eb-407c8faa8300",
            "more": "..."        
        }
    ]
}
        
Loading...
Comming soon