In the Entra ID section, you will find comprehensive reports on all Entra ID activities within your Microsoft 365 tenant. These include audited activities, various sign-in events (overall, admin roles, external users, failed attempts), monthly sign-ins by user and app, risky users, risk detections, and sign-ins from anonymous IPs, unfamiliar locations, and using legacy protocols. For certain categories, additional details can be displayed by selecting the corresponding columns, and you have the option to display a map (Sign-in: events, with admin roles, external and failed) and enable the anonymous data toggle (Sign-in: events, with admin roles, external and failed, from unfamiliar locations, risk detections and impossible to travel to atypical locations).
The Entra ID audit category includes certain features that are exclusively found in this section. Please, find the list of these features and the common functionalities at the end of the article.
Audit report
This section provides the audit record for the event name, the actor who performed the action, the date and time (in UTC) when it was performed, the target resource affected by the change as well as actor, target and role details.
Sign-in events
This section provides a report of all Entra ID sign-in events within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can show a map and select anonymous data toggle. This report gives full detail on all sign-ins activities performed within your tenant. You can easily check failed logins, locked account accounts targeted by hackers’ attack and also who is using what within your tenant in extreme detail. Please note that the events in the report are collapsed per minute to avoid having too many similar events.
Sign-ins with admin roles
It provides a curated view of Entra ID sign-in events for users with admin roles within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can show a map and select anonymous data toggle. This report also displays sign-ins of users with at least one admin role.
Sign-ins external
This section provides a curated view of Entra ID sign-in events for external users within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can show a map and select anonymous data toggle. This report allows you to easily visualize who performed the external access, when it happened, what content the external user has access to and from what geographic location.
Sign-ins failed
This section provides a curated view of failed Entra ID sign-in events within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can show a map and select anonymous data toggle. This report shows failed sign-ins and the reasons for all users in a chosen period.
Monthly sign-ins by user
It provides an aggregated report of Entra ID sign-in events per user within your Microsoft 365 tenant. This report shows the number of total sessions for the current month per user.
Monthly sign-ins by app
It provides an aggregated report of Entra ID sign-in events per Entra ID integrated app within your Microsoft 365 tenant. This report provides information about the usage of managed applications and user sign-in activities.
Risky users
This section provides a report of Entra ID users flagged for sign-in risk within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. This report will show you all the Entra ID Users who are at risk for a V-Tenant, in order to identify potential threats to my tenant and act accordingly.
Risk detections
This section provides a report of Entra ID risk detections within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can enable anonymous data toggle. Each detected suspicious action is stored in this report. The information is useful to identify possible threats to your tenant and reduce security risk.
Sign-ins from anonymous
It provides a report of Entra ID sign-in events from anonymous IP addresses within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can enable anonymous data toggle. This report indicates users who have successfully signed in from an IP address that has been identified as an anonymous proxy IP address.
Sign-ins from unfamiliar locations
This section provides a report of Entra ID sign-in events from unfamiliar locations within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can enable anonymous data toggle. This report considers past sign-in locations to determine new/unfamiliar locations.
Impossible travel to atypical locations
It provides a report of Entra ID sign-in events for legacy protocols within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can enable anonymous data toggle. This report is useful to identify suspicious from locations that may be atypical for the user, given past behavior.
Sign-ins legacy protocols
This section provides a report of Entra ID sign-in events for legacy protocols within your Microsoft 365 tenant. Additional details can be displayed by selecting the corresponding columns. You can enable anonymous data toggle. This report will show you those sign-ins using deprecated protocols on the tenant in order to be able to evaluate blocking legacy protocols and impacted users.
Moreover, by clicking “Columns”, you can add or remove information from the Audit reports. You can also export, save, or schedule these reports with applied changes and filters and adjust the time interval in the top right corner of the table.
Visit these pages to view the functionalities related to these audit reports only:
Visit these pages to view the functionalities related to these reports:
For further information on Sign-in logs in Entra ID visit this page.