Entra ID (ex. Azure AD) user sign-in logs provide information on user activity (successful and failed logins), applications used, locations, operating systems used, and user browsers. Auditing of user sign-ins through Azure apps and services is enabled by default and is available in all Azure subscriptions. Administrators can view sign-in logs from the Azure Portal Web UI and using PowerShell.
You can explore and export users’ sign-in activity and export logs via Azure Portal:
- Logon on to https://portal.azure.com and navigate to Microsoft Entra ID blade;
- Go to Monitoring > Sign-in Logs;
- There are four types of sign-in logs available:
- Interactive user sign-ins (performed by a user)
- Non-interactive user sign-ins (sign-ins on behalf of a user)
- Service principal sign-ins (sign-ins by apps or apps or service principals)
- Managed identity sign-ins (sign-ins by resources that have their secrets managed by Azure)
Azure stores sing-in logs for the last 30 days. By default, the Sign-in Logs panel displays logs for last 24 hours.
You can filter the logs according to various criteria (user, application, operating system, IP address, location, browser, etc.).
For example, you need to find all users logged in from Oslo, Norway.
- Click Add files and select Location;
- Click Location in the table header and type the name of the country, city or state;
- Only user sign-ins from the specified location will remain in the table. You can export logs to a CSV or JSON file.
You can use filters to find out the user’s last login date. Select Filter by > Username, and type the name. All of the user’s logins to Microsoft 365 services appear in the list. The date the user last logged into Azure is the top event in the list.
Sign in logs are also available in each Azure user’s properties.
You can use the Get-AzureADAuditSignInLogs cmdlet to search for Azure sign-ins logs. It is currently only available in AzureADPreview module.
An Azure Active Directory Premium 1 (P1) license is required to access sign-in reports from PowerShell.
Install this module with the command:
Install-Module -Name AzureADPreview
Check that the module is installed:
Import-Module AzureADPreview Get-Module AzureADPreview
Now you can connect to Azure:
Connect-AzureAD
Let’s look at several examples of getting Azure sign-in logs with PowerShell:
Get logs for the user (UserPrincipalName) for the last 24 hours:
$datefilter = (get-date).AddDays(-1).ToString("yyyy-MM-dd")
Get-AzureADAuditSignInLogs -Filter "userPrincipalName eq 'kirill@theitbros.com' and createdDateTime ge $datefilter"
To select only certain event properties and export the result to CSV, add pipe to the previous command:
| Select-Object CreatedDateTime, Id, UserDisplayName, AppDisplayName, Status, Location| Export-Csv -Path C:\PS\AzureADSigninReport.CSV -NoTypeInformation -Encoding UTF8
Filter logs by application name:
Get-AzureADAuditSignInLogs -Filter "appDisplayName eq 'Microsoft Teams Web Client'"
Get the last successful sign-in event for a user account:
Get-AzureADAuditSignInLogs -Top 1 -Filter ("UserPrincipalName eq 'kirill@theitbros.com' and status/errorCode eq 0") | Format-Table CreatedDateTime, UserDisplayName
List last sign-ins from a specific location:
Get-AzureADAuditSignInLogs -Filter "location/city eq 'Oslo' and location/countryOrRegion eq 'NO'"
