Check Azure AD Audit Logs for User Sign-Ins (Success and Failures). Are you determined to safeguard your Azure Active Directory against any security breach? Well, one of the most critical steps is staying vigilant and monitoring user sign in logs.
Fortunately, Microsoft offers various ways to check Azure AD audit logs for user sign-ins, whether successful or unsuccessful.
There are two effective ways to check the Azure AD Audit Logs for user sign-in activities: the Azure Portal or PowerShell. This article walks you through both methods, so you pick the one that serves you best.
Additionally, the PowerShell section covers not only one but two methods to review user sign-in activities – with the AzureADPreview and Microsoft Graph PowerShell modules.
Reading this article to the end, equips you with the knowledge of user sign ins and ensures the security of your Azure AD. So, let’s get started!
Check Azure AD Audit Logs for User Sign-Ins (Success and Failures) Azure Portal
Most admins prefer performing tasks via GUI, and reviewing user sign-in activities through the Azure Portal gives them that option. Furthermore, the Azure Active Directory Portal has a Monitoring section with multiple options for admins to review and analyse user sign-in activities.
In the following subsections, we show you different user sign-in log options for you to use to monitor user sign in activities.
How to Use the "Sign-in logs" Report to Audit User Sign-In Activities
3. Subsequently, scroll down the menu to the Monitoring section and click Sign-in logs.
The Sign in logs report has 9 columns by default, but you can modify the columns (more on this later). Let me first show you how to use the “Date” and “Show date as:” filters.
The Date filter allows you to set how far to the past you want to view user sign-in logs. The default value is 24 hours, but you can modify this.
In terms of the “Show date as:” filter, by Default Azure portal, sets this to your Local time, but you can change this setting by clicking on the “Show date as:” filter.
Next, let’s talk about the report’s columns.
They can be customized by clicking Columns at the report’s top.
Then, select the columns you want to show on the Columns customization flyout and click Save.
Finally, the report also has an “Add filter” button to use to decide what data is displayed. To use this filter, click on it.
Then, from the displayed options, click on the field you wish to filter. For example, if you want to filter by sign-in status (Success or Failure), click the “Status” field and click the Apply button at the bottom.
Now that you’ve added the Status filter, the Sign-in log report displays it. To select a log status to display, click “Status: None Selected.”
Then, check the sign-in log status you wish to display and click Apply. The most helpful sign-in status that an admin needs to detect a potential threat is the existence of multiple sign-in failures.
So, I select this status in this example.
If you need to, download the report after configuring it. To download the sign-in logs report, click the Download button.
Then, follow the numbering in the graphics screenshot below to complete the report download settings and download it.
How to Use the "Log Analytics" Report to Review User Sign-In Activities
In addition to the “Sign-in logs” report, the Azure AD Monitoring section also has another report admins use to analyse user sign-in activities – the Log Analytics report. We have detailed articles that show how to configure and use the “Log Analytics” log.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Check Azure AD Audit Logs for User Sign-Ins (Success and Failures) with PowerShell
The PowerShell section of this article discusses 2 methods of using PowerShell to review Azure AD sign in activities. Follow the steps below.
Use AzureADPreview PowerShell Module to Report Azure AD User Sign-In Activities
Microsoft offers two Azure Active PowerShell module versions – AzureAD and AzureADPreview. The 2 modules have some cmdlets common to them.
However, some cmdlets are not available in both modules. The cmdlet we need to run Azure AD user sign-in reports – Get-AzureADAuditSignInLogs – is available in the AzureADPreview module.
So, installing this module is part of the steps outlined below.
1. Open PowerShell as admin by searching for the app. Then, click “Run as admin.”
Your Windows PC prompts you to allow PowerShell to make changes to your device. Click Yes.
2. When the Windows PowerShell command console opens, copy the command below, paste it into your PS console, then press Enter to execute the command.
powershell.exe -ExecutionPolicy RemoteSigned
This command opens a new instance of PowerShell, allowing you to run commands from a module you downloaded online.
2. Next, run the first command below to uninstall AzureAD, if you previously installed the module on your computer. It would help to uninstall this module because it cannot co-exist with the AzureADPreview module.
Uninstall-Module AzureAD -force
If the Uninstall Module command returns the “No match was found” error, it indicates that you have not previously installed the AzureAD PowerShell module.
3. Next, install AzureADPreview PowerShell module by running the command below. Then, to download the module to your PC, run the Import-Module command.
Install-Module AzureADPreview
Import-Module AzureADPreview
Finally, run the Get-Module command below to confirm that the AzureADPreview module is available on your computer. The command displays the module information, including a list of all available commands.
Unfortunately, the default Get-Module command does not list the commands in a module. However, to see a list of all available commands in the AzureADPreview module, run the Get-Command command.
Get-Module AzureADPreview
Get-Command -Module AzureADPreview
4.The next step is to connect to your Azure tenant from PowerShell. Run the Connect-AzureAD command to authenticate and connect to your Azure tenant.
Usually, if you run the Connect-AzureAD without specifying the Credential parameter, PowerShell displays a sign-in dialogue box and prompt you to enter your username and password. To avoid this, run the Get-Credential command and save the result in the $credential variable.
Then, when you run the Connect-AzureAD command, specify the $credential variable.
$credential = Get-Credential username@domainname.com
Replace username@domainname.com with your Azure or Office 365 login UPN.
If your credentials are correct, the last command should connect to your Azure tenant and display a confirmation.
Connect-AzureAD -Credential $credential
Now that you’re connected to Azure, run the Get-AzureADAuditSignInLogs command to return user sign-in activities. Run the command without any parameters.
However, that returns a large number of data that may be useless.
To reduce the amount of data this command returns is to use its Filter parameter. Admins use the Filter parameter to modify the sign-in log data returned by the Get-AzureADAuditSignInLogs command.
For example, an admin uses the first command below to create a date variable for the last 24 hours. Then, use the second command to return the sign-in logs created in the last 24 hours.
$datefilter = (get-date).AddDays(-1).ToString("yyyy-MM-dd")
Get-AzureADAuditSignInLogs -Filter "createdDateTime ge $datefilter"
Unfortunately, the default result of the command is not very useful because it has too much information.
How about adding some filters to get the command to reduce the result to the most helpful information we need? Here is the command and the screenshot.
Get-AzureADAuditSignInLogs -Filter "createdDateTime ge $datefilter" | Select-Object CreatedDateTime, Id, UserDisplayName, AppDisplayName, Status, Location | Format-Table -AutoSize
Get-AzureADAuditSignInLogs -Filter "createdDateTime ge $datefilter" | Select-Object CreatedDateTime, Id, UserDisplayName, AppDisplayName, Status, Location | | Export-Csv -Path D:\report\AzureADSigninlogs.CSV -NoTypeInformation
Use Microsoft.Graph.Reports PowerShell Module to Report Azure AD User Sign-In Activities
Microsoft Graph makes REST APIs and client libraries available to allow users to access data in Microsoft Cloud services, including Azure Active Directory. In this subsection, we explore how to use the Microsoft.Graph.Reports PowerShell module to generate user sign in reports from Azure AD.
1. Open PowerShell as admin. Then, open another instance that allows you to run modules downloaded from the internet.
powershell.exe -ExecutionPolicy RemoteSigned
Subsequently, run the first command below to install the Microsoft Graph API PowerShell Module. Then, run the following commands to install and download the Microsoft.Graph.Reports PowerShell module.
Install-Module -Name Microsoft.Graph.Reports
Import-Module Microsoft.Graph.Reports
Before you move on to step 2 below, confirm that the Microsoft.Graph.Reports module has successfully been installed and downloaded to your computer by running the command below.
Get-Command -Module Microsoft.Graph.Reports
If the command returns a long list of cmdlets, you’re good to go!
2. After installing the Microsoft.Graph.Reports module, the next step is to use the Connect-MgGraph command to authenticate to your Azure tenant. However, when you run the Connect-MgGraph command, you must specify a scope for the Microsoft Graph API to access the resources you need to return from Azure AD.
The quickest way to determine the scope you require is to use the Find-MgGraphCommand. In the example in this article, we need to run the Get-MgAuditLogSignIn command to access the Azure AD sign-in logs.
The command below returns the scope we need to run the Connect-MgGraph command.
Find-MgGraphCommand -command Get-MgAuditLogSignIn | Select -First 1 -ExpandProperty Permissions
The result of the command confirms that we need the AuditLog.Read.All and Directory.Read.All scopes to successfully run the Get-MgAuditLogSignIn command.
3. So, to request these scopes, run the Connect-MgGraph command with the Scopes parameter as shown below.
Connect-MgGraph -Scopes "AuditLog.Read.All", "Directory.Read.All"
When you run the command, PowerShell prompts for your Azure login email. Enter the email address and click Next.
4. Then, enter your password and click Sign in. You receive a final prompt requesting you to grant “Microsoft Graph PowerShell” access to your Azure tenant.
Check the “Consent on behalf of your organization” checkbox and click Accept.
5. Finally, to use the Microsoft.Graph.Reports module to report Azure AD user sign-In activities, start by running the Get-MgAuditLogSignIn without any parameters.
Get-MgAuditLogSignIn
The command returns a report with the default columns. However, like the command in the previous sub-section, the default report is not very useful so we need to add some filtering.
6. Firstly, let’s get the command to return the columns we need most. But first, we need a way to determine the available columns (properties).
To list all available properties to help you decide on the columns you require, pipe the last command to the Get-Member command.
Get-MgAuditLogSignIn | Select-Object * | Get-Member
We decide what properties to include in our report from the results returned by Get-Member. Please pick from in the screenshot below.
7. With the information in step 6, pipe the Get-MgAuditLogSignIn command to Select-Object and specify the properties you want to show in your report. Below is a sample command.
Get-MgAuditLogSignIn | Select-Object CreatedDateTime, Id, UserDisplayName, AppDisplayName, Status, IPAddress, Location | Format-Table -AutoSize
Unfortunately, the PowerShell console hides some of the columns returned by the last command because they are more than it can handle.
8. A way to fix the problem of hidden columns is to export the report to a CSV file. To export it to a CSV file, use the command below.
Get-MgAuditLogSignIn | Select-Object CreatedDateTime, Id, UserDisplayName, AppDisplayName, Status, IPAddress, Location | Export-CSV -path D:\report\MgADsign-inlogs-CSV -NoTypeInformation
How to Check Azure AD Audit Logs for User Sign-Ins (Success and Failures) Conclusion
Reviewing the Azure user sign-in logs for success and failure events is how admins proactively ensure they detect potential threats to Azure AD. Microsoft provides SysAdmins with multiple ways to perform this task.
In this article, I discussed how to view Azure AD user sign-in logs from the Azure Portal and with PowerShell. Furthermore, in the PowerShell session, I discussed 2 methods: using the AzureADPreview and Microsoft.Graph.Reports PowerShell modules to return Azure AD user sign-in logs.
I hope that by following the steps discussed in this article, you’ve acquired the knowledge to view and analyse your organization’s Azure AD user sign-in logs. Thereby detecting potential threats and fixing them before they become a problem.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free
- Free 15-Days Trial
- SaaS Reporting & Auditing Solution
- Full Access to All Features
