Sign-in logs
Microsoft Entra ID emits sign-in logs containing activity information. Each sign-in attempt contains details associated with those three main components: Who: The identity (User) doing the sign-in. How: The client (Application) used for the access. And What: The target (Resource) accessed by the identity. You can use the sign-in logs to answer questions such as: How many users signed into a particular application this week? How many failed sign-in attempts occurred in the last 24 hours? Are users signing in from specific browsers or operating systems?
Prerequisites
Before you start make sure you have configured the following:Sign-in to the Microsoft Entra admin center and browse to Monitoring & health > Sign-in logs. Then, search and select one of the sign-in log entry.
The Activity Details: Sign-ins provides details associated with a sign-in attempt. In the following example, the user couldn't sign-in since the account is disabled.
Dependencies
This script is self-contained.1. Sign-in logs
GET https://graph.microsoft.com/v1.0/auditLogs/signIns
Connect-MgGraph -Scopes "AuditLog.Read.All Directory.Read.All"Get-MgAuditLogSignIn1.1 [Optinal] Filter sign-in logs
GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime ge 2024-07-01T00:00:00Z and createdDateTime le 2024-07-14T23:59:59Z
Connect-MgGraph -Scopes "AuditLog.Read.All Directory.Read.All"Get-MgAuditLogSignIn -Filter "createdDateTime ge 2024-07-01T00:00:00Z and createdDateTime le 2024-07-14T23:59:59Z"2. Investigate the sign-in log
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#auditLogs/signIns",
"@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET auditLogs/signIns?$select=appDisplayName,appId",
"value": [
{
"id": "b6c405bf-816b-4c88-b7a4-9af5f79d0200",
"createdDateTime": "2024-07-24T06:55:43Z",
"userDisplayName": "Yoel Horvitz",
"userPrincipalName": "75b523ca-d064-4ddf-80af-87738f504026@wggdemo.onmicrosoft.com",
"userId": "75b523ca-d064-4ddf-80af-87738f504026",
"appId": "10f90284-3ee4-4e82-a641-55cc4068b633",
"appDisplayName": "Woodgrove Groceries",
"ipAddress": "**.**.**.***",
"clientAppUsed": "Browser",
"correlationId": "366f7c67-19a6-404d-ac87-2bfc4919ac1e",
"conditionalAccessStatus": "success",
"isInteractive": true,
"riskDetail": "hidden",
"riskLevelAggregated": "hidden",
"riskLevelDuringSignIn": "hidden",
"riskState": "none",
"riskEventTypes": [],
"riskEventTypes_v2": [],
"resourceDisplayName": "Microsoft Graph",
"resourceId": "00000003-0000-0000-c000-000000000000",
"status": {
"errorCode": 50057,
"failureReason": "The user account is disabled.",
"additionalDetails": "https://learn.microsoft.com/troubleshoot/azure/entra/entra-id/app-integration/error-code-aadsts50057-user-account-is-disabled"
},
"deviceDetail": {
"deviceId": "",
"displayName": "",
"operatingSystem": "Windows10",
"browser": "Edge 126.0.0",
"isCompliant": false,
"isManaged": false,
"trustType": ""
},
"location": {
"city": "Chicago",
"state": "Illinois",
"countryOrRegion": "US",
"geoCoordinates": {
"altitude": null,
"latitude": 12.3456,
"longitude": 12.3456
}
},
"appliedConditionalAccessPolicies": []
},
{
"id": "7ce4644d-2280-48ba-b1eb-407c8faa8300",
"more": "..."
}
]
}
