🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Microsoft Entra ID

How to Monitor Managed Identity Sign-ins in Microsoft Entra ID

Managed identities in Microsoft Entra ID enable secure, passwordless authentication for applications and services accessing Azure resources. Monitoring their sign-ins is essential to ensure the proper and secure usage of these identities across your Microsoft 365 environment. This guide shows you how to track managed identity sign-in logs to enhance visibility and troubleshoot access issues.

Solution 1
Solution 2
Solution 3
Important Tips
Errors and Resolution Steps
FAQs

Get Managed Identity Sign-in Activities Using Microsoft Entra Admin Center

Microsoft 365 Permission Required
Security Reader Least Privilege
Global Admin Most Privilege
  • Sign in to the Microsoft Entra admin center.
  • Navigate to the Managed identity sign-ins tab under Entra ID»Monitoring & Health»Sign-in logs.
  • Here, you can get comprehensive sign-in reports for managed identities, grouped by application. Select a row to see all activities performed by the identity at a specific date and time.
  • By default, sign-in activities from the last 24 hours are shown, including details about managed identity, accessed resources and federated identity credentials.
Get Managed Identity Sign-in Activities Using Microsoft Entra Admin Center
  • Note: Entra sign-in events log retains managed identity sign-in records for a maximum of 30 days. You can use the Date range filter to adjust the time period and retrieve records within the retention window.

Retrieve Managed Identity Sign-in Logs Using PowerShell

Microsoft Graph Permission Required
AuditLog.Read.All Least Privilege
Directory.ReadWrite.All Most Privilege
  • Connect to the Microsoft Graph PowerShell using the cmdlet below.
  • Windows PowerShell Windows PowerShell 
     Connect-MgGraph -Scopes "AuditLog.Read.All"
  • Use the following cmdlet to retrieve the managed identity sign-in logs from the Microsoft Entra ID.
  • Windows PowerShell Windows PowerShell 
     Get-MgBetaAuditLogSignIn -Filter "SignInEventTypes/any(t: t eq 'ManagedIdentity')" | ForEach-Object {
	[PSCustomObject]@{
		'Sign-in Time'           = $_.createdDateTime
		'Managed Identity ID'    = $_.servicePrincipalId
		'Managed Identity Name'  = $_.servicePrincipalName
		'Managed Identity Type'  = $_.managedServiceIdentity.msiType
		'Resource ID'            = $_.resourceId
		'Resource Name'          = $_.resourceDisplayName
		'Federated Token ID'     = $_.managedServiceIdentity.federatedTokenId
		'Federated Token Issuer' = $_.managedServiceIdentity.federatedTokenIssuer
		'Associated Resource ID' = $_.managedServiceIdentity.associatedResourceId
	}
}|
Format-Table -AutoSize
  • Execution of the above cmdlet extract details like sign-in time, managed identity ID, name, type, resource ID, resource name, and federated identity credentials of the sign-in.
Retrieve Managed Identity Sign-in Logs Using PowerShell
  • Note: Before running the above cmdlet, make sure the Microsoft.Graph.Beta module is installed. If not, install it using "Install-Module Microsoft.Graph.Beta" and import it with "Import-Module Microsoft.Graph.Beta" cmdlets.
AdminDroid Entra ID Reporting Tool

Gain Deeper Visibility into Azure Resource Access with Managed Identity Insights!

AdminDroid’s Microsoft 365 Entra ID reports offer clear visibility into managed identity sign-ins through its extensive reports and comprehensive dashboards. Explore some of its capabilities to gain actionable insights into the managed identity sign-in activities.

Review Managed Identity Service Principals for Enhanced Security

View all service principals of managed identities to identify and remove unused ones, reducing clutter and improving resource management efficiency.

Analyze Entra Role Assignments for Managed Identities

Use the target application filter in the app role assignments report to get a clear overview of roles assigned to the managed identity and verify secure access to Azure services.

Inspect Service Principals for Managed Identities Activity

Review service principals and their assigned objects to identify those linked to managed identities and verify that their access is appropriate.

Detect Suspicious Access with Anomalous Token Insights

Utilize the anomalous token detection report to spot tokens with an unusual lifetime or that are used from unfamiliar locations to detect suspicious sign-ins.

Find Illicit Consent Grant Attacks Through Entra Apps

Regularly monitor consents granted to applications and revoke unnecessary or suspicious permissions from malicious / unknown applications to prevent unauthorized access attempts.

Check Threat Analysis Reports for Complete Risk Visibility

Leverage the threat analysis portal to identify failed and risky sign-in events, and configure alerts to enhance the security of your M365 environment.

Overall, AdminDroid’s Entra ID management tool delivers comprehensive visibility into managed identities, their sign-in events, and activities. Besides this, the tool delivers actionable insights to securely manage all objects within your Entra ID.

Explore a full range of reporting options
Download Live Demo

Important Tips

Delete a user-assigned managed identity after deleting its associated resources, as it's not deleted automatically and can pose a security risk if left unchecked.

Keep the managed identity available for future use by removing its role assignments instead of deleting it outright.

Configure diagnostic settings in Azure Monitor to stream managed identity sign-in logs to Log Analytics, Storage, or Event Hub for real-time monitoring, auditing, and alerts.

Common Errors and Resolution Steps

Encountering issues with managed identity sign-in? Here's a list of common errors and how to troubleshoot them.

Error Get-MgBetaAuditLogSignIn : Calling principal does not have required MSGraph permissions AuditLog.Read.All

This error occurs when executing the 'Get-MgBetaAuditLogSignIn' cmdlet without having the necessary scope permissions for accessing sign-in logs.

Fix To resolve this, you must be assigned the proper scope permissions, at least AuditLog.Read.All, to read the sign-in logs.

Error Get-MgBetaAuditLogSignIn : User is not in the allowed roles

This error occurs when you don’t have the required role to access sign-in logs in Microsoft Entra ID.

Fix Contact the consent authority of your organization to assign an appropriate role, at least the Security Reader role, to read the sign-in logs through PowerShell.

Error Unable to acquire for tenant organizations with error ManagedIdentityCredential authentication failed. Managed System Identity not found! Status 400 (Bad Request)

This error occurs when a system-assigned managed identity attempts to sign in without having the required permissions assigned.

Fix Ensure that the system-assigned managed identity has the proper permissions and roles assigned to access the required resources.

Error Invalid URI: The hostname could not be parsed

This error occurs when the resource parameter is not specified in the JWT token request to the IMDS endpoint (169.254.169.254).

Fix Specify the desired resource (e.g., https://graph.microsoft.com) in the JWT token request to receive the access token.

Error Connect-azaccount : ManagedidentityCredential authentication failed: Failed to get MSI token for account <ClientID> and resource https://management.core.windows.net/. Status: 500 (Internal Server Error).

This error occurs when attempting to authenticate an Azure service using an unavailable system-assigned managed identity. It can also happen if a user-assigned managed identity is used instead of a system-assigned one.

Fix Enable the required system-assigned managed identity if it’s available. If not, enable a system-assigned managed identity for the Automation account to grant access to Azure resources.
Microsoft Entra ID
Frequently Asked Questions

Manage and Secure Access to Azure Resources Using Managed Identities!

What are managed identity sign-in logs?
What are the different types of managed identities in Microsoft Entra ID?
Why is managed identity considered more secure to access Azure resources?
What are the limitations of managed identities for authorization in Microsoft Entra ID?

1. What are managed identity sign-in logs?

Managed identity sign-ins are events where an Azure service uses its built-in identity to access other Azure resources. To understand this better, let’s first clarify what a managed identity is.

Managed identity for Azure resources in Microsoft Entra ID

A managed identity is a Microsoft Entra based identity assigned to an Azure resource or supported app. It allows the resource to securely access Microsoft Entra-protected Azure services Entra-protected Azure services such as Azure Key Vault, storage account and more without needing secrets from you.

Managed identity authentication without manual credentials

Managed identity securely accesses Azure resources without credentials by obtaining tokens from Entra ID. Here’s the workflow behind the scenes.

  • When a managed identity is enabled in Azure Resource Manager (ARM), a service principal is automatically created in Microsoft Entra ID.

  • This identity is linked to the Azure resource via the Instance Metadata Service (IMDS), which provides the service principal’s client ID and certificate.

  • Additionally, Role-Based Access Control (RBAC) grants the necessary permissions that enable the managed identity access to other Azure resources.

  • The application sends a token request to IMDS and Microsoft Entra ID issues a JSON Web Token (JWT) in response.

  • Finally, the application uses this token to securely access Azure services, without the need to store any credentials.

Example Scenario: An Azure virtual machine with a managed identity needs to access secrets stored in Azure Key Vault. Instead of using passwords, the VM requests a token from Microsoft Entra ID via IMDS. Using this token, it securely reads the secrets without storing any credentials.

2. What are the different types of managed identities in Microsoft Entra ID?

Microsoft Entra ID provides two types of managed identities to manage sign-ins for Azure resources. These are described below:

  • System-assigned managed identity - Tied directly to an Azure service instance (like a VM or function app).
  • User-assigned managed identity - Created as a stand-alone Azure resource and can be assigned to multiple services.

System-assigned vs User-assigned managed identity

Understanding the differences between system-assigned and user-assigned managed identities helps you decide when to use each type for secure, manageable, and efficient access to resources.

system-assigned-vs-user-assigned-managed-identity

3. Why is managed identity considered more secure to access Azure resources?

Managed identities benefit us by allowing access to Azure services without involving manual credential management. Here’s how they enhance security during access:

  • Automatic renewal of JWT tokens The JSON Web Tokens (JWT) are short-lived and they are renewed automatically once an hour in Microsoft Entra ID. This reduces the risk of token misuse or replay attacks and eliminates the need to store long-lived credentials.
  • Role-Based Access Control Managed Identity is granted only the least privilege roles using Azure RBAC to restrict permissions. This ensures the identity has access only to the resource it is explicitly assigned to.
  • Dedicated identity assignment For system-assigned managed identities, the identity is bound to a single Azure resource (e.g., virtual machine). This ensures that only that specific resource can use the identity and the identity is automatically deleted when the resource is removed.
  • Microsoft Entra ID integration Authentication of managed identities is handled through Microsoft Entra ID. This enables centralized analysis of managed identity sign-ins and auditing across all Azure services.

4. What are the limitations of managed identities for authorization in Microsoft Entra ID?

While managed identities provide several benefits, they also come with a few limitations such as:

  • Lack of support for Azure Cloud Service (classic): As the Azure Cloud Services (classic) do not support managed identities, you'll need to switch to newer Azure Resource Manager (ARM) based services.
  • Regional dependency of user-assigned identity: The control plane operations like creation, deletion, or updation of a user-assigned managed identity are region specific and could be performed only on the region where it is created.
  • Weak security boundary: Any code on the resource, including malicious code, can access tokens and interact with Azure services because the security boundary is limited to that resource.
  • Loss of managed identity on directory switch: When moving an identity across directories, system-assigned must be disabled and re-enabled, whereas user-assigned must be deleted, recreated and linked to the resource again. Even though, the cross-tenant or cross-directory access of the managed identity is not supported.
  • Rate limits dependency: The rate limits for managed identities include Azure service limits - 10000 management groups and resource naming; IMDS limits - 5 requests per second (rps) to IMDS, 20 rps and 5 concurrent requests to managed identities; Microsoft Entra service limits - supports only up to 200 tenants, 5000 domains, 5000 resources, 100 roles and more.
  • Restriction on moving across resource groups: User-assigned managed identities cannot be moved between resource groups and must be recreated if needed in another group.
  • Permission update delays: Role or permission changes of a managed identity may take up to 24 hours to reflect due to cache per resource URI.
  • Soft deletion period of identity: A soft-deleted managed identity can only be viewed for 30 days, after which it is permanently deleted. During this retention period, it cannot be restored or deleted permanently.
  • Token rejection after identity deletion: The associated resource of a deleted managed identity can't request new tokens. However, existing tokens remain valid until they expire, and some services may continue to accept requests using those tokens until then.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Microsoft Entra ID
How to Monitor Managed Identity Sign-ins in Microsoft Entra ID
Microsoft Entra ID Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo