Skip to Content
ReportsMonitoringAudit ActivitySign-In Logs

Sign-In Logs

Monitor user sign-in activity across your Microsoft 365 environment. Track successful and failed authentications, detect suspicious sign-in patterns, and investigate potential account compromise.

Overview

The Sign-In Logs report provides detailed records of all authentication events in your managed Entra ID tenants. Use this data to monitor access patterns, investigate security incidents, and ensure compliance with access policies.

Log Columns

ColumnDescription
Date/TimeWhen the sign-in occurred
UserUser principal name and display name
ApplicationApplication the user signed into
StatusSuccess, Failure, or Interrupted
IP AddressSource IP of the sign-in attempt
LocationGeographic location based on IP
DeviceDevice name and operating system
BrowserBrowser used for the sign-in
MFA StatusWhether MFA was required and satisfied
Conditional AccessWhich CA policies were applied
Risk LevelNone, Low, Medium, High

Sign-In Analysis

The report provides several analytical views:

  • Success vs. Failure rate — Track authentication success rates over time
  • Geographic distribution — Map of sign-in locations
  • Failed sign-in patterns — Identify brute force or password spray attacks
  • Application access — Which apps users are signing into
  • Device and browser trends — Track client platform usage

Suspicious Activity Indicators

Warning: The following patterns may indicate account compromise or attack activity:

  • Multiple failed sign-ins from different locations
  • Successful sign-in from an unusual location
  • Sign-in from a known malicious IP address
  • Impossible travel (sign-ins from distant locations in short time)
  • Sign-in from an anonymous or Tor network

Filters

  • Date Range — Last 24 hours, 7 days, 30 days, or custom
  • User — Filter by specific user or group
  • Status — Success, Failure, Interrupted
  • Application — Filter by target application
  • Risk Level — None, Low, Medium, High
  • Tenant — Filter by managed tenant

Graph API Data Sources

  • GET /auditLogs/signIns

API Reference

  • GET /api/monitoring/audit/sign-ins — Get sign-in logs
  • GET /api/monitoring/audit/sign-ins/summary — Get sign-in summary
  • POST /api/monitoring/audit/sign-ins/export — Export sign-in logs
Last updated on
Service HealthUnified Audit Log