Sign-in Logs

Monitor and analyze user authentication events in Entra ID. Sign-in logs provide detailed information about every authentication attempt including success, failure, MFA challenges, and Conditional Access evaluation.

Note: Sign-in logs are retained for 30 days by default. With Azure AD Premium P1/P2, export to Azure Storage, Event Hubs, or Log Analytics for longer retention.

Sign-in Log Columns

Sign-in Status

• Success — User authenticated successfully. All requirements (password, MFA, CA) were met.
• Failure — Authentication failed. Wrong password, MFA failed, blocked by CA, account locked.
• Interrupted — User started but didn’t complete sign-in. Often MFA prompt not completed.

Common Failure Reasons

• 50126 - Invalid credentials (Common) — Wrong username or password. May indicate forgotten password or credential stuffing attack.
• 50053 - Account locked (Security) — Too many failed sign-in attempts. Smart lockout is protecting the account.
• 50074 - MFA required (MFA) — User needs to complete MFA challenge. Often seen with legacy protocols that can’t do MFA.
• 53003 - Blocked by CA (CA) — Conditional Access policy blocked access. Check which policy and why.
• 50057 - Disabled account (Account) — User account is disabled in directory. Enable account to allow sign-in.
• 50034 - User not found (Account) — Username doesn’t exist in directory. May be typo or enumeration attempt.

Filtering and Search

By User

Filter to specific user by UPN or display name. Useful for investigating individual account issues.

By Status

Show only failures, successes, or interrupted sign-ins.

By Application

Filter to specific app (Exchange Online, SharePoint, Azure Portal, etc.)

By Date Range

Select custom date range within retention period. Default shows last 24 hours.

By Location

Filter by country, state, or city. Useful for detecting impossible travel.

By Risk Level

Show only risky sign-ins flagged by Identity Protection (requires P2).

Sign-in Types

Interactive Sign-ins

User physically signs in with username/password/MFA. Includes web browser, desktop apps, and mobile apps where user provides credentials.

Non-interactive Sign-ins

Background token refreshes without user interaction. Apps use refresh tokens to silently obtain new access tokens. High volume is normal.

Service Principal Sign-ins

Applications authenticating with client credentials (app-only). No user involved. Track which apps are accessing your tenant.

Managed Identity Sign-ins

Azure resources authenticating using managed identities. VMs, Functions, Logic Apps accessing Azure AD-protected resources.

Security Investigations

Impossible Travel

User signs in from New York, then 10 minutes later from London. Indicates compromised credentials or VPN usage.

Password Spray Attack

Many failed sign-ins for different users with same password. Look for error 50126 across multiple accounts.

Brute Force Attack

Many failed sign-ins for single user in short time. Smart lockout should trigger after threshold.

Legacy Protocol Usage

Sign-ins using IMAP, POP3, SMTP Auth. These can’t use MFA and should be blocked.

Export and Integration

• Download CSV — Export filtered results for offline analysis
• Azure Monitor — Stream to Log Analytics for advanced queries
• Event Hubs — Real-time streaming to SIEM (Splunk, Sentinel)
• Storage Account — Archive for long-term compliance retention

Graph API Endpoints

• GET /auditLogs/signIns
• GET /auditLogs/signIns?$filter=userPrincipalName eq 'user@domain.com'
• GET /auditLogs/signIns?$filter=status/errorCode eq 50126

API Reference

• GET /api/security/sign-in-logs — List sign-in logs with filters
• GET /api/security/sign-in-logs/:id — Get detailed sign-in event
• GET /api/security/sign-in-logs/summary — Get sign-in statistics
• POST /api/security/sign-in-logs/export — Export sign-in logs