Entra ID Logging
Last updated
Last updated
The following logs can be routed to an endpoint for storage, analysis, or monitoring.
The AuditLogs report capture changes to applications, groups, users, and licenses in your Microsoft Entra tenant. Once you routed your audit logs, you can filter or analyze by date/time, the service that logged the event, and who made the change. For more information, see .
The SignInLogs send the interactive sign-in logs, which are logs generated by your users signing in. Sign-in logs are generated when users provide their username and password on a Microsoft Entra sign-in screen or when they pass an MFA challenge. For more information, see
The AADNonInteractiveUserSIgnInLogs are sign-ins done on behalf of a user, such as by a client app. The device or client uses a token or code to authenticate or access a resource on behalf of a user. For more information, see .
If you need to review sign-in activity for apps or service principals, the ServicePrincipalSignInLogs might be a good option. In these scenarios, certificates or client secrets are used for authentication. For more information, see .
The AADManagedIdentitySignInLogs provide similar insights as the service principal sign-in logs, but for managed identities, where Azure manages the secrets. For more information, see .
In order to configure these logs you will need to enable them via the Diagnostics settings in the Default Directory "Entra ID".
If your organization provisions users through a non-Microsoft application such as Workday or ServiceNow, you might want to export the ProvisioningLogs reports. For more information, see .
Sign-in activity for Active Directory Federated Services (AD FS) applications are captured in this Usage and insight reports. You can export the ADFSSignInLogs report to monitor sign-in activity for AD FS applications. For more information, see .
The RiskyUsers logs identify users who are at risk based on their sign-in activity. This report is part of Microsoft Entra ID Protection and uses sign-in data from Microsoft Entra ID. For more information, see .
The UserRiskEvents logs are part of Microsoft Entra ID Protection. These logs capture details about risky sign-in events. For more information, see .
The NetworkAccessTrafficLogs are associated with Microsoft Entra Internet Access and Microsoft Entra Private Access. The logs are visible in Microsoft Entra ID, but selecting this option doesn't add new logs to your workspace unless your organization is using Microsoft Entra Internet Access and Microsoft Entra Private Access to secure access to your corporate resources. For more information, see .
The RiskyServicePrincipals logs provide information about service principals that Microsoft Entra ID Protection detected as risky. Service principal risk represents the probability that an identity or account is compromised. These risks are calculated asynchronously using data and patterns from Microsoft's internal and external threat intelligence sources. These sources might include security researchers, law enforcement professionals, and security teams at Microsoft. For more information, see .
The ServicePrincipalRiskEvents provide details around the risky sign-in events for service principals. These logs might include any identified suspicious events related to the service principal accounts. For more information, see .
The EnrichedOffice365AuditLogs are associated with the enriched logs you can enable for Microsoft Entra Internet Access. Selecting this option doesn't add new logs to your workspace unless your organization is using Microsoft Entra Internet to secure access to your Microsoft 365 traffic and you enabled the enriched logs. For more information, see .
The MicrosoftGraphActivityLogs provide administrators full visibility into all HTTP requests accessing your tenant's resources through the Microsoft Graph API. You can use these logs to identify activities that a compromised user account conducted in your tenant or to investigate problematic or unexpected behaviors for client applications, such as extreme call volumes. Route these logs to the same Log Analytics workspace with SignInLogs to cross-reference details of token requests for sign-in logs. For more information, see .
The RemoteNetworkHealthLogs provide insights into the health of your remote network configured through Global Secure Access. Selecting this option doesn't add new logs to your workspace unless your organization is using Microsoft Entra Internet Access and Microsoft Entra Private Access to secure access to your corporate resources. For more information, see .
The CustomSecurityAttributeAuditLogs are configured in the Custom security attributes section of diagnostic settings. These logs capture changes to custom security attributes in your Microsoft Entra tenant. To view these logs in the Microsoft Entra audit logs, you need the role. To route these logs to an endpoint, you need the role and the .