Check Azure AD Audit Logs for User Sign-Ins (Success and Failures). Are you determined to safeguard your Azure Active Directory against any security breach? Well, one of the most critical steps is staying vigilant and monitoring user sign in logs.
Fortunately, Microsoft offers various ways to check Azure AD audit logs for user sign-ins, whether successful or unsuccessful.
There are two effective ways to check the Azure AD Audit Logs for user sign-in activities: the Azure Portal or PowerShell. This article walks you through both methods, so you pick the one that serves you best.
Additionally, the PowerShell section covers not only one but two methods to review user sign-in activities – with the AzureADPreview and Microsoft Graph PowerShell modules.
Reading this article to the end, equips you with the knowledge of user sign ins and ensures the security of your Azure AD. So, let’s get started!
Check Azure AD Audit Logs for User Sign-Ins (Success and Failures) Azure Portal
How to Use the "Sign-in logs" Report to Audit User Sign-In Activities
The Sign in logs report has 9 columns by default, but you can modify the columns (more on this later). Let me first show you how to use the “Date” and “Show date as:” filters.
The Date filter allows you to set how far to the past you want to view user sign-in logs. The default value is 24 hours, but you can modify this.
In terms of the “Show date as:” filter, by Default Azure portal, sets this to your Local time, but you can change this setting by clicking on the “Show date as:” filter.
Next, let’s talk about the report’s columns.
They can be customized by clicking Columns at the report’s top.
Then, select the columns you want to show on the Columns customization flyout and click Save.
Finally, the report also has an “Add filter” button to use to decide what data is displayed. To use this filter, click on it.
Then, from the displayed options, click on the field you wish to filter. For example, if you want to filter by sign-in status (Success or Failure), click the “Status” field and click the Apply button at the bottom.
Now that you’ve added the Status filter, the Sign-in log report displays it. To select a log status to display, click “Status: None Selected.”
Then, check the sign-in log status you wish to display and click Apply. The most helpful sign-in status that an admin needs to detect a potential threat is the existence of multiple sign-in failures.
So, I select this status in this example.
If you need to, download the report after configuring it. To download the sign-in logs report, click the Download button.
Then, follow the numbering in the graphics screenshot below to complete the report download settings and download it.
How to Use the "Log Analytics" Report to Review User Sign-In Activities
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Check Azure AD Audit Logs for User Sign-Ins (Success and Failures) with PowerShell
Use AzureADPreview PowerShell Module to Report Azure AD User Sign-In Activities
Microsoft offers two Azure Active PowerShell module versions – AzureAD and AzureADPreview. The 2 modules have some cmdlets common to them.
However, some cmdlets are not available in both modules. The cmdlet we need to run Azure AD user sign-in reports – Get-AzureADAuditSignInLogs – is available in the AzureADPreview module.
So, installing this module is part of the steps outlined below.
powershell.exe -ExecutionPolicy RemoteSigned
This command opens a new instance of PowerShell, allowing you to run commands from a module you downloaded online.
2. Next, run the first command below to uninstall AzureAD, if you previously installed the module on your computer. It would help to uninstall this module because it cannot co-exist with the AzureADPreview module.
Uninstall-Module AzureAD -force
3. Next, install AzureADPreview PowerShell module by running the command below. Then, to download the module to your PC, run the Import-Module command.
Finally, run the Get-Module command below to confirm that the AzureADPreview module is available on your computer. The command displays the module information, including a list of all available commands.
Unfortunately, the default Get-Module command does not list the commands in a module. However, to see a list of all available commands in the AzureADPreview module, run the Get-Command command.
Get-Command -Module AzureADPreview
Usually, if you run the Connect-AzureAD without specifying the Credential parameter, PowerShell displays a sign-in dialogue box and prompt you to enter your username and password. To avoid this, run the Get-Credential command and save the result in the $credential variable.
Then, when you run the Connect-AzureAD command, specify the $credential variable.
$credential = Get-Credential email@example.com
If your credentials are correct, the last command should connect to your Azure tenant and display a confirmation.
Connect-AzureAD -Credential $credential
However, that returns a large number of data that may be useless.
To reduce the amount of data this command returns is to use its Filter parameter. Admins use the Filter parameter to modify the sign-in log data returned by the Get-AzureADAuditSignInLogs command.
For example, an admin uses the first command below to create a date variable for the last 24 hours. Then, use the second command to return the sign-in logs created in the last 24 hours.
$datefilter = (get-date).AddDays(-1).ToString("yyyy-MM-dd")
Get-AzureADAuditSignInLogs -Filter "createdDateTime ge $datefilter"
Unfortunately, the default result of the command is not very useful because it has too much information.
Get-AzureADAuditSignInLogs -Filter "createdDateTime ge $datefilter" | Select-Object CreatedDateTime, Id, UserDisplayName, AppDisplayName, Status, Location | Format-Table -AutoSize
Get-AzureADAuditSignInLogs -Filter "createdDateTime ge $datefilter" | Select-Object CreatedDateTime, Id, UserDisplayName, AppDisplayName, Status, Location | | Export-Csv -Path D:\report\AzureADSigninlogs.CSV -NoTypeInformation
Use Microsoft.Graph.Reports PowerShell Module to Report Azure AD User Sign-In Activities
1. Open PowerShell as admin. Then, open another instance that allows you to run modules downloaded from the internet.
powershell.exe -ExecutionPolicy RemoteSigned
Install-Module -Name Microsoft.Graph.Reports Import-Module Microsoft.Graph.Reports
Before you move on to step 2 below, confirm that the Microsoft.Graph.Reports module has successfully been installed and downloaded to your computer by running the command below.
Get-Command -Module Microsoft.Graph.Reports
If the command returns a long list of cmdlets, you’re good to go!
2. After installing the Microsoft.Graph.Reports module, the next step is to use the Connect-MgGraph command to authenticate to your Azure tenant. However, when you run the Connect-MgGraph command, you must specify a scope for the Microsoft Graph API to access the resources you need to return from Azure AD.
The quickest way to determine the scope you require is to use the Find-MgGraphCommand. In the example in this article, we need to run the Get-MgAuditLogSignIn command to access the Azure AD sign-in logs.
The command below returns the scope we need to run the Connect-MgGraph command.
Find-MgGraphCommand -command Get-MgAuditLogSignIn | Select -First 1 -ExpandProperty Permissions
Connect-MgGraph -Scopes "AuditLog.Read.All", "Directory.Read.All"
4. Then, enter your password and click Sign in. You receive a final prompt requesting you to grant “Microsoft Graph PowerShell” access to your Azure tenant.
Check the “Consent on behalf of your organization” checkbox and click Accept.
The command returns a report with the default columns. However, like the command in the previous sub-section, the default report is not very useful so we need to add some filtering.
6. Firstly, let’s get the command to return the columns we need most. But first, we need a way to determine the available columns (properties).
To list all available properties to help you decide on the columns you require, pipe the last command to the Get-Member command.
Get-MgAuditLogSignIn | Select-Object * | Get-Member
We decide what properties to include in our report from the results returned by Get-Member. Please pick from in the screenshot below.
Get-MgAuditLogSignIn | Select-Object CreatedDateTime, Id, UserDisplayName, AppDisplayName, Status, IPAddress, Location | Format-Table -AutoSize
Get-MgAuditLogSignIn | Select-Object CreatedDateTime, Id, UserDisplayName, AppDisplayName, Status, IPAddress, Location | Export-CSV -path D:\report\MgADsign-inlogs-CSV -NoTypeInformation
How to Check Azure AD Audit Logs for User Sign-Ins (Success and Failures) Conclusion
Reviewing the Azure user sign-in logs for success and failure events is how admins proactively ensure they detect potential threats to Azure AD. Microsoft provides SysAdmins with multiple ways to perform this task.
In this article, I discussed how to view Azure AD user sign-in logs from the Azure Portal and with PowerShell. Furthermore, in the PowerShell session, I discussed 2 methods: using the AzureADPreview and Microsoft.Graph.Reports PowerShell modules to return Azure AD user sign-in logs.
I hope that by following the steps discussed in this article, you’ve acquired the knowledge to view and analyse your organization’s Azure AD user sign-in logs. Thereby detecting potential threats and fixing them before they become a problem.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free