Azure AD

How to Export Azure AD Application Usage Report in Microsoft 365

Are you looking for insights on how users are accessing and using Azure AD apps within Microsoft 365? Understanding Azure AD application activity is crucial for optimizing both performance and security. The Microsoft Entra ID application activity report allows admins to track user engagement with Azure AD apps, detect unusual behavior, and ensure compliance. This guide will walk you through obtaining and interpreting this report, helping you strengthen security within Microsoft 365.

Using Microsoft Entra Admin Center

Microsoft 365 Permission Required

Reports Reader Least Privilege

Global Admin Most Privilege

Sign in to the Microsoft Entra admin center.
Navigate to Azure AD Application Activity (Preview) under Identity»Monitoring & health»Usage & insights.
Use the Date range drop-down to filter the Azure AD app sign-in summary for the past 7 days or 30 days.

This report provides insights into the number of successful and failed sign-ins, as well as the overall success rate for logins to Azure AD applications.
Note: Utilize the Download option available in the report to export it as a CSV file.

Using Windows PowerShell

Microsoft 365 Permission Required

Reports Reader Least Privilege

Global Admin Most Privilege

Connect to the Microsoft Graph PowerShell module using the cmdlet below.

Windows PowerShell

 Connect-MgGraph -Scopes "Reports.Read.All"

Next, run the following cmdlet, replacing <Report Period> with values like 'D7' or 'D30' to retrieve the Azure AD application sign-in summary for the last 7 or 30 days.

Windows PowerShell

 Get-MgBetaReportAzureAdApplicationSignInSummary -Period <Report Period>

The output displays a summary of Azure AD application sign-ins, including counts of successful sign-ins, failed sign-ins, and sign-in interruptions for the specified period.

Using AdminDroid
Simple & Quick

AdminDroid Permission Required Delegated

Any user with report access delegated by the Super Admin.

Open the AdminDroid Office 365 reporter.
Navigate to the Organization Sign-In Count based on Application report under Analytics»Sign-in Analytics»Organization Sign-in Summary.

AdminDroid Microsoft 365 Usage Analytics

Effortlessly explore insights on Microsoft Entra Application Usage Activity!

AdminDroid’s Microsoft 365 Sign-in Analytics tool offers comprehensive reports on sign-in events, allowing you to monitor Azure application insights and log analytics throughout your organization. It efficiently displays sign-ins by apps and service principals, details on non-interactive user sign-ins, and information on users' last log-on time by application, each with a dedicated report.

Receive Real-Time Alerts for Azure App Sign-In Failures

To mitigate security risks, set up alerts and establish thresholds for failed sign-ins in Azure AD applications. This way, you will be notified when the number of failed sign-in attempts surpasses a specified limit.

Audit All Entra ID App Operations

Frequently audit Azure AD app operations to identify new configurations and permissions that might inadvertently expose sensitive data or allow unauthorized access.

Analyze Azure Apps' Non-Interactive Sign-Ins

Track non-interactive sign-ins performed by client apps to identify and address potential unauthorized access attempts using certificates or client secrets.

Regular Updates on Azure AD App Sign-In Logs

Schedule the 'Organization Sign-in Count based on Application' report on a monthly or weekly basis to ensure the reports are delivered to the respective admins consistently.

Track User Sign-In Summary by Application

Use the User Sign-In Summary by Application report to get a comprehensive view of successful and failed user sign-ins for all applications in your organization.

Explore CA Policies Applied to Entra ID Apps

Regularly review conditional access policies on Entra ID apps to ensure that only users who fulfill the security to applications.

In summary, AdminDroid's Azure AD management tool goes beyond basic application audit logs by categorizing third-party applications and offering unparalleled visibility. This empowers admins to stay informed about application activities and manage their organization’s resources more effectively.

Explore a full range of reporting options

Download Live Demo

Important Tips

Enforce strong authentication on app sign-ins by applying Conditional Access policies to applications within Entra ID, thereby enhancing your security posture.

Migrate apps from AD FS to Microsoft Entra ID to enhance security and reduce the risk of malicious actions, as AD FS lacks modern authentication.

By managing user consent to applications, you can gain greater control over how they access and interact with your organization's data.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints for analyzing Azure AD application activity reports.

Error Get-MgBetaReportAzureAdApplicationSignInSummary : One or more errors occurred.

This error occurs when you try to run the beta cmdlet without installing Microsoft Graph Beta module.

Fix You can use the below cmdlets to install the Microsoft Graph Beta module and then connect to it.

Install-Module Microsoft.Graph.Beta

Error Get-MgBetaReportAzureAdApplicationSignInSummary : Calling principal does not have required MSGraph permissions Reports.Read.All.

This error occurs in PowerShell when you execute the ‘Get-MgBetaReportAzureAdApplicationSignInSummary’ cmdlet without having the necessary permission.

Fix Connect to the MS Graph PowerShell with the “Reports.Read.All” permission and try executing the cmdlet.

Connect-MgGraph -Scopes "Reports.Read.All"

Error Error AADSTS7000112 - Application is disabled.

This error occurs when you try to sign in to an Azure AD application whose service principal object is disabled.

Fix Go to the Entra admin center and enable the service principal object for the respective application.

Error Get-MgBetaReportAzureAdApplicationSignInSummary : Parameter 90 is not a valid period parameter.Valid parameter are D7, D30.

This error occurs when the value for the period parameter is not specified correctly.

Fix Use the supported values, such as D7 or D30, as shown below.

Get-MgBetaReportAzureAdApplicationSignInSummary –Period D7

Azure AD

Frequently Asked Questions

Unlock In-Depth Insights and Reports on Azure AD Application Usage in Microsoft 365

How to audit service principal sign-in activity in Azure AD?

How to find applications with too many failed sign-ins in Azure AD?

How to get Entra ID app registrations with expiring secrets and certificates?

How to disable user sign-ins to applications in Entra ID?

1. How to audit service principal sign-in activity in Azure AD?

Service principal sign-ins refer to the authentication and activity logs associated with the identities used by Entra ID applications to access resources within Microsoft 365 services. When a service principal signs in, it performs actions such as accessing APIs, managing resources, or performing tasks on behalf of an application.

Monitoring these sign-ins helps track records of both successful and failed attempts, providing insight into whether the service principal is being used correctly or if potential security issues exist.

Monitor service principal sign-in logs using the Microsoft Entra admin center

Navigate to Service principal sign-ins under Identity »Monitoring & health»Sign-in logs.
The service principal sign-in logs provide information such as sign-in status, service principal name, resource ID, sign-in date and time, IP address, conditional access, and more.

Note: To obtain a comprehensive summary of each application's service principal sign-in, navigate to the Service principal sign-in activity report under Identity»Monitoring & health»Usage and insights.

Track service principal sign-ins with AdminDroid for more detailed analytics.

AdminDroid’s sign-in by apps and service principals report offers granular insights, including detailed sign-in time, application names, geographical data, and more.
The built-in heatmap chart helps you quickly spot peak activity and low sign-in days, making it easier to detect unusual service principal usage patterns.

2. How to find applications with too many failed sign-ins in Azure AD?

Monitoring sign-in failures is essential for smooth operation within Microsoft 365. By identifying and understanding the top sign-in errors for Azure AD apps, admins can proactively troubleshoot issues such as application logins failing to meet conditional access policies, application-related issues, and more. This helps ensure the security and reliability of their organization's digital resources.

Track top Azure AD app sign-in failures using the Microsoft Entra admin center

Navigate to Sign-in logs under Identity »Applications»Enterprise applications»Activity.
Adjust the Date filter as needed. In the Add filters option, choose the Status field, and choose Failure from the Status drop-down.
Click on the Application column header to sort the report by app.

Note: You can also set the filter to Success or Interrupted from the Status drop-down to analyze those sign-ins for Azure AD applications.

The graphical chart in AdminDroid’s ‘Organization Sign-In Count by Application’ report allows you to easily visualize the top apps by failed sign-ins with just a few clicks.

admindroid-organization-failed-sign-In count-graph

3. How to get Entra ID app registrations with expiring secrets and certificates?

The application credential activity report offers a centralized view of your application credentials, detailing the last activity date, credential type (certificate or client secret), and expiration dates. Monitoring credential expiration dates is essential to ensure that the credentials of registered applications and service principals are up to date.

Monitor application credential activity using the Microsoft Entra portal

Navigate to the Application credential activity (Preview) report under the Usage & insights tab.
Utilize the 'View more details' link available in the respective record to access information such as the application object, service principal, resource IDs, credential origin, and more.

app-credential-activity-entra-admin-center

While the Entra portal provides insights into client secret expiration, tracking changes to credentials on service principals remains crucial!

AdminDroid's Credential Changes report provides a detailed audit of service principal credential operations, allowing you to track changes like added or removed credentials.
This report offers insights into event time, operation type, user ID, and target ID, helping you manage credential updates for smooth operations.

Pro tip: Utilize the Schedule option to receive the service principal changes report periodically to your mailbox.

4. How to disable user sign-ins to applications in Entra ID?

Disabling user sign-ins for applications in Entra ID is a crucial step for managing application access and ensuring security. This process allows administrators to control which applications users can access, either temporarily or permanently, based on organizational needs or security policies. By default, user sign-ins for applications are enabled.

Disable user sign-in for an Azure AD application

Navigate to the Identity »Applications»Enterprise applications»All applications.
Select the application you want to disable user sign-ins for. Then, go to the Properties tab.
Disable the 'Enabled for users to sign-in?' toggle, then click Save.

Disable user sign-in for an Entra ID application using PowerShell

Run the below PowerShell cmdlet to disable user sign-in for an Azure AD application.

Connect-MgGraph -Scopes "Application.ReadWrite.All"
$servicePrincipal = Get-MgServicePrincipal -Filter "appId eq '<App ID>'"
Update-MgServicePrincipal -ServicePrincipalId $servicePrincipal.Id -AccountEnabled:$false

Replace the <App ID> with the client ID of the target application.

View all service principals with disabled sign-ins

Run the below cmdlet, to list all the enterprise applications where user sign-in is disabled.

Get-MgServicePrincipal -Filter "accountEnabled eq false"