Entra ID

  • Last update on September 26th, 2024

The Audit section is only available as an add-on. Please contact your CSM to learn more.

 

In the Entra ID section, you will find comprehensive reports on all Entra ID activities within your Microsoft 365 tenant. These include audited activities, various sign-in events (overall, admin roles, external users, failed attempts), monthly sign-ins by user and app, risky users, risk detections, and sign-ins from anonymous IPs, unfamiliar locations, and using legacy protocols. For certain categories, additional details can be displayed by selecting the corresponding columns, and you have the option to display a map (Sign-in: events, with admin roles, external and failed) and enable the anonymous data toggle (Sign-in: events, with admin roles, external and failed, from unfamiliar locations, risk detections and impossible to travel to atypical locations). 

The Entra ID Audit category includes certain features that are exclusively found in this section. Please, find the list of these features and the common functionalities at the end of the article. 

Audit report

This section provides the Audit record for the event name, the actor who performed the action, the date and time (in UTC) when it was performed, the target resource affected by the change as well as actor, target and role details.

 
 

Sign-in events 

This section provides a report of all Entra ID sign-in events within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can show a map and select anonymous data toggle. This report gives full detail on all sign-ins activities performed within your tenant. You can easily check failed logins, locked account accounts targeted by hackers’ attack and also who is using what within your tenant in extreme detail. Please note that the events in the report are collapsed per minute to avoid having too many similar events.

 
 

Sign-ins with admin roles

It provides a curated view of Entra ID sign-in events for users with admin roles within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can show a map and select anonymous data toggle. This report also displays sign-ins of users with at least one admin role.

 
 

Sign-ins external 

This section provides a curated view of Entra ID sign-in events for external users within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can show a map and select anonymous data toggle. This report allows you to easily visualize who performed the external access, when it happened, what content the external user has access to and from what geographic location.

 
 

Sign-ins failed

This section provides a curated view of failed Entra ID sign-in events within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can show a map and select anonymous data toggle. This report shows failed sign-ins and the reasons for all users in a chosen period.

 
 

Monthly sign-ins by user

It provides an aggregated report of Entra ID sign-in events per user within your Microsoft 365 tenant. This report shows the number of total sessions for the current month per user.

 
 

Monthly sign-ins by app

It provides an aggregated report of Entra ID sign-in events per Entra ID integrated app within your Microsoft 365 tenant. This report provides information about the usage of managed applications and user sign-in activities.

 
 

Risky users

This section provides a report of Entra ID users flagged for sign-in risk within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. This report will show you all the Entra ID Users who are at risk for a V-Tenant, in order to identify potential threats to my tenant and act accordingly.

 
 

Risk detections

This section provides a report of Entra ID risk detections within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can enable anonymous data toggle. Each detected suspicious action is stored in this report. The information is useful to identify possible threats to your tenant and reduce security risk.

 
 

Sign-ins from anonymous

It provides a report of Entra ID sign-in events from anonymous IP addresses within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can enable anonymous data toggle. This report indicates users who have successfully signed in from an IP address that has been identified as an anonymous proxy IP address.

 
 

Sign-ins from unfamiliar locations

This section provides a report of Entra ID sign-in events from unfamiliar locations within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can enable anonymous data toggle. This report considers past sign-in locations to determine new/unfamiliar locations.

 
 

Impossible travel to atypical locations

It provides a report of Entra ID sign-in events for legacy protocols within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can enable anonymous data toggle. This report is useful to identify suspicious from locations that may be atypical for the user, given past behavior.

 
 

Sign-ins legacy protocols

This section provides a report of Entra ID sign-in events for legacy protocols within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can enable anonymous data toggle. This report will show you those sign-ins using deprecated protocols on the tenant in order to be able to evaluate blocking legacy protocols and impacted users.

 
 

Moreover, by clicking “Columns”, you can add or remove information from the Audit reports. You can also export, save, or schedule these reports with applied changes and filters and adjust the time interval in the top right corner of the table.

We use the Graph API to import data immediately after the group import is completed, which happens once daily. Therefore, identity protection reports, including “Risk detections”, are not provided in real-time.

 

Visit these pages to view the functionalities related to these Audit reports only:

Visit these pages to view the functionalities related to these reports:

For further information on Sign-in logs in Entra ID visit this page.