🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.

How to Export Azure AD Application Usage Report in Microsoft 365

Are you looking for insights on how users are accessing and using Azure AD apps within Microsoft 365? Understanding Azure AD application activity is crucial for optimizing both performance and security. The Microsoft Entra ID application activity report allows admins to track user engagement with Azure AD apps, detect unusual behavior, and ensure compliance. This guide will walk you through obtaining and interpreting this report, helping you strengthen security within Microsoft 365.

Native Solution

Microsoft 365 Permission Required

High
Least Privilege

Reports Reader

Highest Privilege

Global Admin

Option 1 Using Microsoft Entra Admin Center

  • Sign in to the Microsoft Entra admin center.
  • Navigate to Azure AD Application Activity (Preview) under Identity»Monitoring & health»Usage & insights.
  • Use the Date range drop-down to filter the Azure AD app sign-in summary for the past 7 days or 30 days.
    entra-app-activity-report
  • This report provides insights into the number of successful and failed sign-ins, as well as the overall success rate for logins to Azure AD applications.
  • Note: Utilize the Download option available in the report to export it as a CSV file.

Option 2 Using Windows PowerShell

  • Connect to the Microsoft Graph PowerShell module using the cmdlet below.
  • Windows PowerShell Windows PowerShell
     Connect-MgGraph -Scopes "Reports.Read.All"
  • Next, run the following cmdlet, replacing <Report Period> with values like 'D7' or 'D30' to retrieve the Azure AD application sign-in summary for the last 7 or 30 days.
  • Windows PowerShell Windows PowerShell
     Get-MgBetaReportAzureAdApplicationSignInSummary -Period <Report Period>
Using Windows PowerShell
  • The output displays a summary of Azure AD application sign-ins, including counts of successful sign-ins, failed sign-ins, and sign-in interruptions for the specified period.
AdminDroid Solution
More than 150 reports are under the free edition.

AdminDroid Permission Required

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

ad
  • Open the AdminDroid Office 365 reporter.
  • Navigate to the Organization Sign-In Count based on Application report under Analytics»Sign-in Analytics»Organization Sign-in Summary.
Using AdminDroid

This comprehensive report provides detailed insights into Azure application usage within your Microsoft 365 environment, helping admins identify and resolve issues that lead to sign-in interruptions.

admimdroid-detailed-chartview-for-signin-analytics
  • Leverage the built-in charts to visually display the top Azure AD applications, categorized by sign-in successes, failures, and more, to monitor each application's usage over a specified period.

Daily usage analysis of Entra ID apps!

AdminDroid Microsoft 365 reporting enables you to analyze daily summaries of Azure application usage without limitations, whereas the Entra portal provides data only for the past week or month.

Witness the report in action using the

Azure ADUnlock In-Depth Insights and Reports on Azure AD Application Usage in Microsoft 365

Showing 1 of 4

How to audit service principal sign-in activity in Azure AD?

Service principal sign-ins refer to the authentication and activity logs associated with the identities used by Entra ID applications to access resources within Microsoft 365 services. When a service principal signs in, it performs actions such as accessing APIs, managing resources, or performing tasks on behalf of an application.

Monitoring these sign-ins helps track records of both successful and failed attempts, providing insight into whether the service principal is being used correctly or if potential security issues exist.

Monitor service principal sign-in logs using the Microsoft Entra admin center

  • Navigate to Service principal sign-ins under Identity »Monitoring & health»Sign-in logs.
  • The service principal sign-in logs provide information such as sign-in status, service principal name, resource ID, sign-in date and time, IP address, conditional access, and more.
entra-service-principal-sign-in-logs

Note: To obtain a comprehensive summary of each application's service principal sign-in, navigate to the Service principal sign-in activity report under Identity»Monitoring & health»Usage and insights.

Track service principal sign-ins with AdminDroid for more detailed analytics.

  • AdminDroid’s sign-in by apps and service principals report offers granular insights, including detailed sign-in time, application names, geographical data, and more.
  • The built-in heatmap chart helps you quickly spot peak activity and low sign-in days, making it easier to detect unusual service principal usage patterns.
admindroid-sign-in-by-apps

How to find applications with too many failed sign-ins in Azure AD?

Monitoring sign-in failures is essential for smooth operation within Microsoft 365. By identifying and understanding the top sign-in errors for Azure AD apps, admins can proactively troubleshoot issues such as application logins failing to meet conditional access policies, application-related issues, and more. This helps ensure the security and reliability of their organization's digital resources.

Track top Azure AD app sign-in failures using the Microsoft Entra admin center

  • Navigate to Sign-in logs under Identity »Applications»Enterprise applications»Activity.
  • Adjust the Date filter as needed. In the Add filters option, choose the Status field, and choose Failure from the Status drop-down.
  • Click on the Application column header to sort the report by app.
entra-top-signin-failure

Note: You can also set the filter to Success or Interrupted from the Status drop-down to analyze those sign-ins for Azure AD applications.

The graphical chart in AdminDroid’s ‘Organization Sign-In Count by Application’ report allows you to easily visualize the top apps by failed sign-ins with just a few clicks.

admindroid-organization-failed-sign-In count-graph

How to get Entra ID app registrations with expiring secrets and certificates?

The application credential activity report offers a centralized view of your application credentials, detailing the last activity date, credential type (certificate or client secret), and expiration dates. Monitoring credential expiration dates is essential to ensure that the credentials of registered applications and service principals are up to date.

Monitor application credential activity using the Microsoft Entra portal

  • Navigate to the Application credential activity (Preview) report under the Usage & insights tab.
  • Utilize the 'View more details' link available in the respective record to access information such as the application object, service principal, resource IDs, credential origin, and more.
app-credential-activity-entra-admin-center

While the Entra portal provides insights into client secret expiration, tracking changes to credentials on service principals remains crucial!

  • AdminDroid's Credential Changes report provides a detailed audit of service principal credential operations, allowing you to track changes like added or removed credentials.
  • This report offers insights into event time, operation type, user ID, and target ID, helping you manage credential updates for smooth operations.
admindroid-credential-changes-report

Pro tip: Utilize the Schedule option to receive the service principal changes report periodically to your mailbox.

How to disable user sign-ins to applications in Entra ID?

Disabling user sign-ins for applications in Entra ID is a crucial step for managing application access and ensuring security. This process allows administrators to control which applications users can access, either temporarily or permanently, based on organizational needs or security policies. By default, user sign-ins for applications are enabled.

Disable user sign-in for an Azure AD application

  • Navigate to the Identity »Applications»Enterprise applications»All applications.
  • Select the application you want to disable user sign-ins for. Then, go to the Properties tab.
  • Disable the 'Enabled for users to sign-in?' toggle, then click Save.
entra-disable-user-signin-for-app

Disable user sign-in for an Entra ID application using PowerShell

Run the below PowerShell cmdlet to disable user sign-in for an Azure AD application.

Connect-MgGraph -Scopes "Application.ReadWrite.All"
$servicePrincipal = Get-MgServicePrincipal -Filter "appId eq '<App ID>'"
Update-MgServicePrincipal -ServicePrincipalId $servicePrincipal.Id -AccountEnabled:$false

Replace the <App ID> with the client ID of the target application.

View all service principals with disabled sign-ins

Run the below cmdlet, to list all the enterprise applications where user sign-in is disabled.

Get-MgServicePrincipal -Filter "accountEnabled eq false"

AdminDroid Microsoft 365 Usage AnalyticsEffortlessly explore insights on Microsoft Entra Application Usage Activity!

AdminDroid’s Microsoft 365 Sign-in Analytics tool offers comprehensive reports on sign-in events, allowing you to monitor Azure application insights and log analytics throughout your organization. It efficiently displays sign-ins by apps and service principals, details on non-interactive user sign-ins, and information on users' last log-on time by application, each with a dedicated report.

A Quick Summary

Receive Real-Time Alerts for Azure App Sign-In Failures

To mitigate security risks, set up alerts and establish thresholds for failed sign-ins in Azure AD applications. This way, you will be notified when the number of failed sign-in attempts surpasses a specified limit.

Audit All Entra ID App Operations

Frequently audit Azure AD app operations to identify new configurations and permissions that might inadvertently expose sensitive data or allow unauthorized access.

Analyze Azure Apps' Non-Interactive Sign-Ins

Track non-interactive sign-ins performed by client apps to identify and address potential unauthorized access attempts using certificates or client secrets.

Regular Updates on Azure AD App Sign-In Logs

Schedule the 'Organization Sign-in Count based on Application' report on a monthly or weekly basis to ensure the reports are delivered to the respective admins consistently.

Track User Sign-In Summary by Application

Use the User Sign-In Summary by Application report to get a comprehensive view of successful and failed user sign-ins for all applications in your organization.

Explore CA Policies Applied to Entra ID Apps

Regularly review conditional access policies on Entra ID apps to ensure that only users who fulfill the security to applications.

In summary, AdminDroid's Azure AD management tool goes beyond basic application audit logs by categorizing third-party applications and offering unparalleled visibility. This empowers admins to stay informed about application activities and manage their organization’s resources more effectively.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Common Errors and Resolution Steps While Tracking Azure AD Application Usage Report

The following are possible errors and troubleshooting hints for analyzing Azure AD application activity reports.

Error: Get-MgBetaReportAzureAdApplicationSignInSummary : One or more errors occurred.

This error occurs when you try to run the beta cmdlet without installing Microsoft Graph Beta module.

Troubleshooting hint :You can use the below cmdlets to install the Microsoft Graph Beta module and then connect to it.

Install-Module Microsoft.Graph.Beta

Error: Get-MgBetaReportAzureAdApplicationSignInSummary : Calling principal does not have required MSGraph permissions Reports.Read.All.

This error occurs in PowerShell when you execute the ‘Get-MgBetaReportAzureAdApplicationSignInSummary’ cmdlet without having the necessary permission.

Troubleshooting hint :Connect to the MS Graph PowerShell with the “Reports.Read.All” permission and try executing the cmdlet.

Connect-MgGraph -Scopes "Reports.Read.All"

Error: Error AADSTS7000112 - Application is disabled.

This error occurs when you try to sign in to an Azure AD application whose service principal object is disabled.

Troubleshooting hint :Go to the Entra admin center and enable the service principal object for the respective application.

Error: Get-MgBetaReportAzureAdApplicationSignInSummary : Parameter 90 is not a valid period parameter.Valid parameter are D7, D30.

This error occurs when the value for the period parameter is not specified correctly.

Troubleshooting hint :Use the supported values, such as D7 or D30, as shown below.

Get-MgBetaReportAzureAdApplicationSignInSummary –Period D7