Investigate authentication issues using sign-in logs

Completed100 XP

3 minutes

Microsoft 365 administrators and IT administrators are responsible for knowing how their IT environments are performing. The information about their systems’ health enables them to assess whether and how they must respond to potential issues.

To support this goal, the Azure Active Directory portal provides administrators with access to three activity logs:

Sign-in logs. Provides information about sign-ins and how users use the organization’s resources.
Audit logs. Provides information about changes applied to the company’s tenant. For example, users and group management, or updates applied to the tenant’s resources.
Provisioning logs. Provides a list of activities performed by the provisioning service. For example, the creation of a group in ServiceNow, or a user imported from Workday.

This unit provides an overview of the sign-in log.

Additional reading. For more information on audit logs and provisioning logs, see:

Audit logs in Azure Active Directory
Provisioning logs in Azure Active Directory

Administrators can use the sign-in logs to find answers to questions like:

What is the sign-in pattern of a user?
How many users have signed in over a week?
What’s the status of these sign-ins?

Tip

An administrator can always access their own sign-ins history by accessing the My Sign-in page.

An administrator must assign a user one of the following roles for the user to access a sign-in log:

Global administrator
Security administrator
Security reader
Global reader
Reports reader

Sign-in logs are also referred to as Sign-in Activity reports. They’re available in all editions of Azure AD. If an organization has an Azure Active Directory P1 or P2 license, it can also access the Sign-In Activity report through the Microsoft Graph API.

The Azure portal provides several options to access the log. For example, on the Azure Active Directory menu, you can open the sign-in log within the Monitoring section.

Screenshot of the Azure Active Directory portal showing the Sign-ins log option highlighted.

What is the default view?

A sign-in log has a default list view that shows the following information:

Sign-in date
Related user
Application to which the user signed in
Sign-in status
Risk detection status
Multi-factor authentication (MFA) status

Screenshot of the Sign-ins activity page, with the application filter set to Office 365 SharePoint Online sign-ins.

You can customize the list view by selecting Columns in the toolbar.

Screenshot of the toolbar from the Sign-ins activity page, with the Columns option highlighted.

The Columns window gives you access to the selectable attributes. In a sign-in log, you can’t have fields that have more than one value for a given sign-in request as column. For example, this rule is true for authentication details, Conditional Access data, and network location.

Screenshot showing the Columns dialog box where you can select attributes.

If a sign-in failed, you can get more information about the reason in the Basic info section of the related log item.

Screenshot of the Basic information section of the Details page for a sign-in error.

While the log item provides a failure reason, there are cases where you may get more information, such as remediation steps, using the sign-in error lookup tool.

Screenshot of the error lookup tool showing the error message and remediation step for a specific error code.

You can filter the data in a sign-in log to narrow it down to a level that works for you. Filter options include:

Request ID. The ID of the request you care about.
User. The name or the user principal name (UPN) of the user you care about.
Application. The name of the target application.
Status. The sign-in status you care about:
- Success
- Failure
- Interrupted
IP address. The IP address of the device used to connect to your tenant.
Location. The location that initiated the connection:
- City
- State / Province
- Country/Region
Resource. The name of the service used for the sign-in.
Resource ID. The ID of the service used for the sign-in.
Client app. The type of the client app used to connect to your tenant. The following table identifies each client app option. NoteDue to privacy commitments, Azure AD doesn’t populate this field to the home tenant in a cross-tenant scenario.

Name	Modern authentication	Description
Authenticated SMTP		Used by POP and IMAP client’s to send email messages.
Autodiscover		Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.
Exchange ActiveSync		This filter shows all sign-in attempts that attempted the EAS protocol.
Browser	X	Shows all sign-in attempts from users using web browsers.
Exchange ActiveSync		Shows all sign-in attempts from users with client apps using Exchange ActiveSync to connect to Exchange Online.
Exchange Online PowerShell		Used to connect to Exchange Online with remote PowerShell. If you block basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell module to connect. For instructions, see Connect to Exchange Online PowerShell using multi-factor authentication.
Exchange Web Services		A programming interface used by Outlook, Outlook for Mac, and third-party apps.
IMAP4		A legacy mail client using IMAP to retrieve email.
MAPI over HTTP		Used by Outlook 2010 and later.
Mobile apps and desktop clients	X	Shows all sign-in attempts from users using mobile apps and desktop clients.
Offline Address Book		A copy of address list collections that Outlook downloads and uses.
Outlook Anywhere (RPC over HTTP)		Used by Outlook 2016 and earlier.
Outlook Service		Used by the Mail and Calendar app for Windows 10.
POP3		A legacy mail client using POP3 to retrieve email.
Reporting Web Services		Used to retrieve report data in Exchange Online.
Other clients		Shows all user sign-in attempts that either don’t include the client app or the client app is unknown.

Operating system. The operating system on the device used to sign-in to your tenant.
Device browser. If a browser initiates a connection, this field enables you to filter by browser name.
Correlation ID. The correlation ID of the activity.
Conditional access. The status of the applied Conditional Access rules that you care about:
- Not applied. No policy applied to the user and application during sign-in.
- Success. One or more Conditional Access policies applied to the user and application (but not necessarily the other conditions) during sign-in.
- Failure. The sign-in satisfied the user and application condition of at least one Conditional Access policy. However, the grant controls are either not satisfied or they’re set to block access.

Sign-ins data shortcuts

Azure AD and the Azure portal both provide other entry points to sign-in data:

The Identity security protection overview
Users
Groups
Enterprise applications

Users sign-ins data in Identity security protection

The user sign-in graph in the Identity security protection overview page shows weekly aggregations of sign-ins. The default for the time period is 30 days.

Screenshot of the Identity security protection report showing a sign-in graph of the weekly aggregations of sign-ins.

When you select a day in the sign-in graph, the system displays an overview of the sign-in activities for that day. Each row in the Sign-in activities list shows:

Who has signed in?
What application was the target of the sign-in?
What is the status of the sign-in?
What is the MFA status of the sign-in?

When you select an item, the system displays more details about the sign-in operation, including:

User ID
User
Username
Application ID
Application
Client
Location
IP address
Date
MFA Required
Sign-in status

Note

Networks issue IP addresses in such a way that there’s no definitive connection between an IP address and the physical location of the computer with that address. Mobile providers and virtual private networks complicate the mapping of IP addresses since they issue IP addresses from central pools that are often far from the location of the client device. Currently, converting IP address to a physical location is a best effort based on traces, registry data, reverse lookups and other information.

The Users page displays a complete overview of all user sign-ins by selecting Sign-ins in the Activity section.

Screenshot of the navigation bar on the Users page with the Sign-ins option highlighted.

Authentication details

The Authentication Details tab on the Sign-ins report provides the following information for each authentication attempt:

A list of authentication policies applied (such as Conditional Access, per-user MFA, Security Defaults).
A list of session lifetime policies applied (such as Sign-in frequency, Remember MFA, Configurable Token lifetime).
The sequence of authentication methods used to sign-in.
Success or failure of authentication attempt.
Detail about why the authentication attempt succeeded or failed.

This information allows administrators to troubleshoot each step in a user’s sign-in. It also enables them to track:

Volume of sign-ins protected by multi-factor authentication.
Reasons for the authentication prompt based on the session lifetime policies.
Usage and success rates for each authentication method.
Usage of passwordless authentication methods (such as Passwordless Phone Sign-in, FIDO2, and Windows Hello for Business).
How frequently token claims (where the system doesn’t interactively prompt the user to enter a password, enter an SMS OTP, and so on) satisfy authentication requirements.

While viewing the Sign-ins report, select the Authentication Details tab:

Screenshot of the sign-ins report with the Authentication Details tab highlighted.

The Authentication details tab can initially show incomplete or inaccurate data, until log information is fully aggregated. Known examples include:

A satisfied by claim in the token message incorrectly displays when the system initially logs sign-in events.
The system fails to initially log the Primary authentication row.

Usage of managed applications

With an application-centric view of sign-in data, administrators can answer questions such as:

Who is using my applications?
What are the top three applications in your organization?
How is my newest application doing?

The entry point to this data is the top three applications in an organization. The data is contained within the last 30 days report in the Overview section under Enterprise applications.

The app-usage graphs weekly aggregations of sign-ins for an organization’s top three applications in a given time period. The default for the time period is 30 days.

Screenshot of the App usage graph showing the sign-ins for the top three applications for a one month period.

If you want to, you can select a specific application to view the sign-in details for that application over the past one month period.

When you select a day in the app usage graph, the system displays a detailed list of the sign-in activities. The Sign-ins option provides a complete overview of all sign-in events to your applications.

Microsoft 365 activity logs

Administrators can view Microsoft 365 activity logs from the Microsoft 365 admin center. Microsoft 365 activity logs and Azure AD activity logs share a significant number of the directory resources. Only the Microsoft 365 admin center provides a full view of the Microsoft 365 activity logs.

Administrators can also programmatically access the Microsoft 365 activity logs by using the Office 365 Management APIs.

LectureBuilder