Get Azure Sign-in Logs in Microsoft 365

Are you encountering multiple failed sign-in attempts in your Microsoft 365 environment? Utilize Microsoft Entra ID sign-in logs for real-time tracking of User sign-ins and to identify suspicious login attempts. Moreover, they offer valuable insights into user behaviour patterns, enabling the detection of anomalies and potential security threats. This guide will help you to consistently monitor user sign-in logs, empowering you to enhance your organization's overall security posture.

Native Solution

Microsoft 365 Permission Required

High

Global Admin, Security Admin, Security Reader, Global Reader, or Reports Reader.

Option 1 Using Microsoft Entra Admin Center

Login to the Microsoft Entra admin center.
Navigate to the Sign-in logs tab under Identity»Users»All users.

Now, filter the logs to see the sign ins for specific user or application.
Here, you can audit all the users' sign-in logs in your organization for past 30 days.

Option 2 Using Microsoft Purview Portal

Login to the Microsoft 365 Purview portal.
Navigate to the Audit tab under Solutions.
Set the start date and end date to search in the specific time frame.
Choose Friendly Names as 'User logged in', and click the Search button to initiate the search.

Option 3 Using PowerShell

Install and connect to the 'Microsoft Graph' PowerShell module using the below cmdlets.

Windows PowerShell

 Install-Module Microsoft.Graph
Connect-MgGraph -Scopes AuditLog.Read.All

Run the below cmdlet to view users’ sign-in data in M365.

Windows PowerShell

 Get-MgAuditLogSignIn | Format-Table CreatedDateTime, UserPrincipalName, AppDisplayName, ResourceDisplayName

Option 4 Using Powershell Script

To reduce the burden of Office 365 user login monitoring in Microsoft 365, we have developed a user-friendly PowerShell script.
It generates an Office 365 user login report that contains both successful and failed login attempts.
It also covers the mailbox logins and teams logins.
Download and run the following script in the Administrator PowerShell.

O365UserLoginHistory.ps1

AdminDroid Solution

More than 150 reports are under the free edition.

AdminDroid Permission Required

Delegated

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

Login to the AdminDroid Office 365 portal.
Navigate to the All Sign-ins tab under Analytics»Sign-in Analytics.

Here, you can get the sign-in report for all your Microsoft 365 users along with information like sign-in ID, sign-in type, risk details, authentication details, device details, location, etc.

Utilize built-in graphical charts for comprehensive visualization of sign-in details. The above chart shows the count of user sign-ins from different locations in your organization which helps to identify sign-ins from unfamiliar locations effortlessly.

Explore a full range of reporting options

Analyze suspicious sign-in attempts with a few clicks!

Suspecting unauthorized access within your tenant? Utilize AdminDroid's Microsoft 365 sign-in monitoring tool to easily audit user sign-in logs and manage risky sign-ins.

Witness the report in action using the

Live Demo

Important Tips

Sign-in data reveals in-demand applications, facilitating application audits to optimize resource allocation and prioritize upgrades for the most frequently used services.

Identify Entra ID risky sign-ins to spot suspicious users attempting to sign in from unrecognized locations and mitigate potential breaches.

Regularly checking sign-in logs helps to find Microsoft 365 inactive users, preventing resource wastages and improving security by identifying potential insider threats.

Azure ADAudit Sign-In Logs to Avoid Unauthorized Access in Microsoft 365

Showing 1 of 8

Why it is important to keep track of users’ sign-in logs in M365? How to track users’ sign-ins with location details? How to find inactive users using the last logon time in Microsoft Entra? How to export Azure AD guest users' sign-in report in Microsoft 365? How to check risky sign-ins in Azure AD? How to view applied conditional access policies in sign-in logs? How to audit sign-in with error codes in Microsoft 365? How retention policies of sign-in logs can impact compliance?

Why it is important to keep track of users’ sign-in logs in M365?

Tracking user sign-in logs in Microsoft 365 is essential for maintaining robust security and ensuring compliance with regulatory standards. It enables admins to monitor the applications and resources accessed by users. Additionally, it provides valuable insights into usage patterns and potential security risks.

Microsoft 365 user sign-in logs contain critical information that includes,

User Identification: Details such as display name and UPN of those who attempted to sign in.
Authentication Details: Logs whether the sign-in was successful or unsuccessful.
Client Application Used: Identifies the applications that the user used to access resources.
IP Address: Indicates the geographic location or network of the sign-in attempt.
Device Information: Details about the device used, such as device ID or OS.
Conditional Access Policies: Indicates if any conditional access policies were applied.
Risk Assessment: Information on the risk level associated with the sign-in attempt.

Keeping track of Microsoft 365 user sign-in logs is crucial for several reasons

Security Monitoring: Sign-in logs provide valuable insights into user authentication activities, allowing admins to monitor for suspicious behaviour or potential security threats.
Compliance and Auditing: Keeping sign-in logs assists organizations in meeting regulatory standards and creates a documented history for compliance audits.
Troubleshooting: Sign-in logs can assist in troubleshooting user access issues by providing details about sign-in attempts and any associated errors or anomalies.
User Behavior Analysis: Analyzing sign-in logs can offer valuable insights into user behaviour patterns, such as typical login times, locations, and devices used. This information can help administrators identify deviations from normal behaviour, such as unauthorized access attempts or account compromises.
Policy Enforcement: Sign-in logs can be used to enforce security policies related to user authentication, such as password policies, multi-factor authentication requirements, and access control policies. Admins can review sign-in logs to ensure compliance with these policies and take corrective action if necessary.

Overall, Microsoft 365 user sign-in logs play a vital role in maintaining the security, compliance, and efficiency of an organization.

How to track users’ sign-ins with location details?

Analyzing sign-ins with location details helps to identify user logins from unfamiliar locations, enhancing security by detecting potential unauthorized access and enabling prompt response to suspicious activities.

To get a list of user sign-ins with location details, run the below PowerShell cmdlet.

Get-MgAuditLogSignIn | Select-Object -Property CreatedDateTime, UserPrincipalName, UserDisplayName -ExpandProperty Location | Format-List

To get a list of users’ sign-ins with authentication details in Microsoft 365, run the below PowerShell cmdlet.

Get-MgAuditLogSignIn | Select-Object -Property CreatedDateTime, UserPrincipalName, UserDisplayName -ExpandProperty Status | Format-List

To get a list of user sign-ins with device details such as operating system, browser, device display name, run the below PowerShell cmdlet.

Get-MgAuditLogSignIn | Select-Object -Property CreatedDateTime, UserPrincipalName, UserDisplayName -ExpandProperty DeviceDetail | Format-List

AdminDroid offers a user-friendly approach to efficiently audit sign-ins with authentication methods!

Here, you get a detailed report on successful MFA sign-ins, sign-ins that failed in the MFA challenge, and sign-ins with various authentication methods.
Also, AdminDroid offers a user sign-in summary with CA policy at a user level and organizational level.

Pro Tip: Create alerts on MFA sign-in failures with a desired threshold to proactively monitor the risky sign-in attempts.

How to find inactive users using the last logon time in Microsoft Entra?

Identify inactive users with the help of users' last login time for streamlined user management and to address challenges in maintaining account security.

Using Microsoft Entra Admin Center

Follow the below to get last login time of Microsoft 365 users.

Navigate to All Users tab under Identity»Users to view all user details.
In the top toolbar, click on the Manage view, and choose the Edit column.
Now, add the Last interactive sign-in time or the Last non-interactive sign-in time column to view the last login time of the M365 users as per the requirements.

Note: It requires Microsoft Entra ID P1 or P2 license to retrieve the sign-ins logs.

Using PowerShell

Run the below cmdlet to find the last logon time of Office 365 users.

(Get-MgBetaUser -UserId <userID> -Property SigninActivity).SignInActivity.LastSuccessfulSignInDateTime

Run the below cmdlet to find the last login time of Office 365 users.

Get-MgBetaUser -Property SigninActivity | Select -property UserPrincipalName, DisplayName -ExpandProperty SignInActivity | Format-Table -Property UserPrincipalName, DisplayName, LastSuccessfulSignInDateTime

By the above ways, we can easily retrieve the last login time of Office 365 users, allows admins to pinpoint inactive accounts, enabling them to disable or remove it from the organization.

Using AdminDroid, you can easily identify the inactive users in your organization.

AdminDroid provides a variety of reports detailing users' last login summary categorized by user, application, city, state, country, browser and operating system.
AdminDroid's Inactive Users Overview report collection enables you to identify Office 365 inactive users within each M365 app by last activity performed date, as well as by their mailbox usage and user attributes.

How to export Azure AD guest users' sign-in report in Microsoft 365?

Real-time monitoring of guest user sign-ins in Microsoft 365 helps prevent unauthorized access, ensuring that guest users only access the intended resources in the organization.

Using Microsoft Entra Admin Center Navigate to Sign-in logs tab under Identity»Monitoring & Health. To get the guest users’ login events, click on the Add filters button, then select User type as Guest, and click on the Apply button.
Microsoft PowerShell Run the below cmdlet in MS Graph PowerShell to find the guest user sign-ins in Azure AD.

Get-MgBetaAuditLogSignIn -Filter "UserType eq 'guest'" | Format-Table CreatedDateTime, AppDisplayName, UserPrincipalName, UserDisplayName, UserType

With AdminDroid, you can able to monitor guest users' sign-ins and guest user activities with just a few clicks!

With the Guest users’ sign-in report, you can be able to identify guest sign-ins with details like sign-in time, sign-in id, username, signed-in application name, resource display name, ip address, etc.
Also, AdminDroid’s Guest user activities report enables you to keep track of guest users' actions, such as file accesses, application usage, and services they utilize.

How to check risky sign-ins in Azure AD?

As a security admin, it is important to monitor Azure risky sign-ins to prevent unauthorized access and potential compromise of user accounts. Identifying and responding to suspicious activities allows you to take proactive measures to secure them in future. However, you require a Microsoft Entra ID P2 license to access all Identity protection settings and policies.

Follow the below to get a risky sign-ins report that helps you to detect and remediate risky sign-ins.

Using Microsoft Entra Admin Center Navigate to the Risky sign-ins tab under Identity»Protection»Risky activities to view the risky sign-ins of your Microsoft 365 environment.
Microsoft PowerShell Run the below cmdlet in MS Graph PowerShell to find the risky sign-ins in Azure AD.

Get-MgAuditLogSignIn -Filter "RiskDetail ne 'None'" | Format-List

Note: This cmdlet provides output only if your tenant has logs for risky sign-ins.

Unfortunately, there is no way to visualize the risky sign-ins using Microsoft 365 native methods.

However, with the help of AdminDroid, you can be easily get of picture of confirmed risky sign-ins report and mitigate the potential security threats.

Here, you can get entire details regarding the risky sign-ins such as signed-in user, risk detected time, risk level, risk event type, etc.
Also, you can refine the logs to view sign-ins based on risk level, risk event types, risk resolved method, etc.

How to view applied conditional access policies in sign-in logs?

To fortify security against unauthorized access, it's essential to keep track of sign-ins along with authentication details, and applied conditional access policies.

Using Microsoft Entra Admin Center Navigate to the Sign-in logs tab under Identity»Users»All users and click on the specific sign-in and switch to the Conditional Access tab to view the applied policies for that sign-in.
Microsoft PowerShell The below cmdlet requires Policy.Read.ConditionalAccess permission to view the applied conditional access policies using PowerShell.

Get-MgBetaAuditLogSignIn -SignInId <signInId> | Select-Object -ExpandProperty AppliedConditionalAccessPolicies | Format-List

Tracking sign-ins with applied conditional access policies in Microsoft 365 will be time consuming and won't provide a clear picture about the activity.

Using AdminDroid, you can easily view applied conditional access policies with just a few clicks!

Here, you can just hover on the specific sign-in data to get the list of applied conditional access policies with details like sign-in id, sign-in time, signed-in user, signed-in application name, sign-in status, etc.

signins-with-applied-conditional-access-policies

How to audit sign-in with error codes in Microsoft 365?

Monitoring sign-ins with error codes is crucial for understanding authentication issues, identifying vulnerabilities, and enhancing overall organizational security.

To get a list of user’s sign-in details with error codes, run the below PowerShell cmdlet.

Get-MgAuditLogSignIn | Where-Object { $_.Status.ErrorCode -eq <error_code> } | Select-Object CreatedDateTime, UserPrincipalName -ExpandProperty Status | Format-List

In addition, analyze the user login failures in Microsoft 365 to efficiently safeguard your organization against potential security threats.

With AdminDroid, you can able to retrieve the sign-ins with security prompts, MFA authentication details, device details, locations, and more.

Here, you can get complete details about the sign-ins with security prompts such as sign-in time, signed-in user, signed-in application, device browser, device OS, authentication method, etc.

How retention policies of sign-in logs can impact compliance?

Retention policies for sign-in logs are crucial for maintaining compliance and security. Incomplete logs can hinder the verification of user activity and compliance with regulatory standards.

Ensure Compliance with Retention Policies

Azure AD has retention policies to store sign-in logs for the past 30 days only. However, Audit logs (standard) have a default retention period of 180 days to retain the logs and it can be configurable for up to 10 years with Audit (premium).
Ensure the retention policy covers the dates of the sign-in events you're reviewing. Logs may be incomplete if older events have been deleted due to retention limits.

With AdminDroid, you can easily retain data as long as you need!

You can able to manage the data retention for Audit logs or Exchange data in your local machine for a maximum of five years without the need for any add-on license or Audit (Premium).
Also, it allows you to set disk space alerts for AdminDroid usage in your storage disk to keep you alerted about disk space usage.
Here, you have detailed insights and easy access to historical data, which helps in maintaining compliance and performing audits.

AdminDroid Microsoft Entra ID ReportingKeep track of suspicious sign-in activities of Microsoft 365 users!

The AdminDroid's Microsoft 365 sign-in analytics tool offers comprehensive reports on sign-in events throughout your organization. It efficiently displays user risk levels, details on users' risky sign-in events, and information on resolved risks, each with a dedicated reports.

Secure your organization with AdminDroid's unique features for monitoring Entra ID risky sign-ins!

By keeping an eye on the Office 365 risky users’ sign-in reports, you can easily identify and assess potential risky sign-ins from unfamiliar places, off-peak hours, or different devices, allowing you to take immediate and appropriate action.

A Quick Summary

Review User Login Insights to Enhance Security

Keep tabs on user login reports to identify sign-ins from unusual access patterns, unfamiliar devices or locations, and multiple failed attempts could indicate a potential security risks in your organization.

Monitor Risky Sign-Ins to Avoid Security Breaches

AdminDroid's alerting feature enables you to proactively address potential security breaches by receiving immediate notifications for risky sign-in attempts within your organization.

Analyze Guest User Sign-Ins in Microsoft 365

Keep a close watch on guest users' sign-ins to identify and address any unauthorized access attempts to sensitive resources in your Microsoft 365 environment.

Streamline Workflow by Scheduling Reports

Simplify data monitoring by scheduling the users' sign-in summary to get audit data on time.

Track MFA Sign-In Failures in Microsoft 365

Audit the successful and failed MFA sign-ins along with authentication methods and analyze the source of MFA enforcement such as conditional access policies, per-user MFA, and security defaults.

Transform the Traditional Look into Graphical Charts

Explore sign-in reports with various built-in AI-powered charts like hourly sign-in count to help identify spikes or dips in activity, as well as sign-in attempts during off-hours.

In summary, AdminDroid assists you in staying informed about M365 sign-ins and helps safeguard against potential security risks. With its extensive range of reports, you can configure risk-based policies based on the comprehensive details provided.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps in retrieving Microsoft 365 user login reports

The following are the possible errors and troubleshooting hints while exploring sign-in history in Microsoft 365.

Error: The term 'Connect-MgGraph' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error will occur if the MS Graph module was not installed properly.

Troubleshooting hint :Install the MS Graph PowerShell module. If it is already installed, updating it could resolve the issue.

// Run the below cmdlet for installing it.
Install-Module Microsoft.Graph
// Run the below cmdlet for updating it.
Update-Module Microsoft.Graph

Error: Get-MgAuditLogSignIn : You cannot perform the requested operation, required scopes are missing in the token.

This error occurs when the MS Graph module does not have permission to audit the sign-in events.

Troubleshooting hint :Connect to the MS Graph PowerShell using the below cmdlet and allow permission to access sign-in logs.

Connect-MgGraph -Scopes "AuditLog.Read.All"

Error: Get-MgAuditLogSignIn : Invalid filter clause: An identifier was expected at position 19.

This error occurs when we try to use the filter like below, but it seems to be invalid. Get-MgAuditLogSignIn -Filter "CreatedDatetime ge $((get-date).AddDays(-7))"

Troubleshooting hint :To resolve the issue, check whether the property is correct or data type mismatch error occurs. In this case, filter requires the string value, but in string interpolation, it gets the datetime value. Typecast the datetime value to the string type to fix the error like below,

Get-MgAuditLogSignIn -Filter "CreatedDatetime ge $((get-date).AddDays(-7).ToString('yyyy-MM-dd'))"

Error: Get-MgAuditLogSignIn : Query option 'Count' is not allowed. To allow it, set the 'AllowedQueryOptions' property on EnableQueryAttribute or QueryValidationSettings.

This error occurs when we try to use options like Select, Count, and Skip because the usage of these options is not allowed on Get-MgAuditLogSignIn cmdlet currently.

Troubleshooting hint :As per the Microsoft Graph documentation for List SignIns, currently it only supports the $top, $skiptoken, and $filter OData Query Parameters to customize the response (for both v1.0 & beta). Try to use client-side customisations to resolve this issue.

Error: ./O365UserLoginHistory.ps1 cannot be loaded because running scripts is disabled on this system.

If you have set the execution policy settings to ‘RemoteSigned’, the above error will occur while running the PowerShell script.

Troubleshooting hint :Change the execution policy settings by running the below cmdlet.

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

Error: Get-MgAuditLogSignIn : One or more errors occurred.

The error occurs due to conflicts between two installed versions of the Microsoft Graph PowerShell module.

Troubleshooting hint :To fix the problem, we need to remove all installed versions of the module and then install the latest ones which help resolve the issue.

Delivering Reports on Time

Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid’s Scheduling to your email anytime you need.

Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add intelligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.

Set It, Schedule It, See Results - Your Reports, Your Way, On Your Time!

Time Saving Automation Customization Intelligent Filtering

Give Just the Right Access to the Right People

Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.

Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.

Give Just the Right Access to the Right People

Align, Define, Simplify: AdminDroid's Granular Delegation

Smart Organizational Control Effortless M365 Management Simplified Access

Advanced Alerts at a Glance

Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.

Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.

AdminDroid Keeps You Always Vigilant, Never Vulnerable!

Proactive Protection Real-time Monitoring Security Intelligence Threat Detection

Merge the Required Data to One Place

Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.

This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.

Merge with Ease and Save as Views!

Custom Reporting Unique View Desired Columns Easy Data Interpretation

Insightful Charts and Exclusive Dashboards

Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.

With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.

Insightful Charts and Exclusive Dashboards

Explore Your Microsoft 365 Tenant in a Whole New Way!

Executive overviews Interactive insights Decision-making Data Visualization

Efficient Report Exporting for Microsoft 365

Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.

Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.

Efficient Report Exporting for Microsoft 365

Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!

Easy Export Seamless Downloading Data Control Manage Microsoft 365

How to Export User’s Sign-In Logs in Microsoft 365