Unit 2: Analyze and investigate sign-in logs to troubleshoot access issues

Overview of Microsoft Entra ID reporting architecture

Microsoft Entra ID reporting is divided into activity data and security-related data. Each log type serves a different troubleshooting and investigation purpose.

Activity logs

Activity logs record what happened in your tenant.

Sign-ins

Sign-in logs provide information about:

• User authentication attempts.
• Application access.
• Authentication results and enforcement.

Use sign-in logs to answer questions such as:

• Did the user successfully sign in?
• Which app was accessed?
• Was MFA required or enforced?
• Did Conditional Access block the sign-in?

Audit logs

Audit logs capture configuration and directory changes, such as:

• User and group creation or deletion.
• Role assignments.
• Application configuration changes.
• Policy updates.

Audit logs are essential for change tracking and compliance.

Provisioning logs

Provisioning logs track:

• User and group provisioning actions.
• Automated identity changes via provisioning services.
• Integrations with systems like Workday or ServiceNow.

These logs help troubleshoot identity lifecycle automation.

Security logs

Security-related logs focus on risk detection.

Risky sign-ins

A risky sign-in indicates:

• A sign-in attempt that may not have been performed by the legitimate user.
• Detection is based on signals like unfamiliar locations or behavior.

Users flagged for risk

A risky user indicates:

• A user account that may already be compromised.
• Risk persists across multiple sign-ins until remediated.

These logs are tightly integrated with Microsoft Entra ID Protection.

Who can access sign-in data?

Access to sign-in and reporting data is role-based.

Roles that can access tenant-wide sign-in data

• Global Administrator.
• Security Administrator.
• Security Reader.
• Global Reader.
• Reports Reader.

Non-admin users

• Any user can view their own sign-in activity only.

Licensing requirements for sign-in logs

• Sign-in activity reports are available in all Microsoft Entra ID editions.
• Logs are also accessible via Microsoft Graph API.
• Advanced risk signals require Premium P2, but basic sign-in logs do not.

This distinction is commonly tested in the exam.

The Sign-ins report

The Sign-ins report is the primary tool for investigating authentication issues.

How to access the Sign-ins report

• Open the Azure portal.
• Select Microsoft Entra ID.
• Under Monitoring, select Sign-ins.

Sign-in records can take up to two hours to appear in the portal.

Important behavior to remember (exam-critical)

• The Sign-ins report shows interactive sign-ins only.
• Non-interactive sign-ins (service-to-service authentication) are not displayed here.

Default sign-in log fields

Each sign-in record includes:

• Sign-in date.
• User identity.
• Target application.
• Sign-in status.
• Risk detection status.
• MFA requirement status.

These fields allow you to quickly identify:

• Failed sign-ins.
• Risky authentication attempts.
• MFA enforcement issues.

Customizing the sign-ins view

You can customize the sign-in list by selecting Columns in the toolbar.

Key limitation:

• Fields with multiple values per sign-in cannot be displayed as columns.
• Examples include:
• Authentication details.
• Conditional Access policy details.
• Network location information.

Viewing detailed sign-in information

Selecting a specific sign-in record opens a detailed view that includes:

• Authentication method used.
• Conditional Access evaluation results.
• MFA outcome.
• Device and location data.

This view is essential for Conditional Access troubleshooting.

Conditional Access troubleshooting

When you open the Conditional Access tab for a sign-in:

• You can see which policies were evaluated.
• You can see whether each policy succeeded, failed, or was not applied.

This eliminates guesswork when diagnosing blocked access.

Filtering sign-in activities

Filters help isolate relevant sign-in events.

Commonly used filters include:

• Request ID.
• User (UPN).
• Application.
• Status (Success, Failure, Interrupted).
• IP address.
• Location (city, region, country).
• Client app type.
• Operating system.
• Browser.
• Correlation ID.
• Conditional Access outcome.

Client app filter (exam favorite)

The Client app filter identifies how the user authenticated.

Key examples:

• Browser (modern authentication).
• Mobile apps and desktop clients (modern authentication).
• Legacy protocols like POP3, IMAP4, SMTP.
• Exchange ActiveSync.
• PowerShell connections.

This filter is critical when troubleshooting:

• Legacy authentication blocks.
• MFA enforcement failures.

Downloading sign-in data

You can export sign-in logs by selecting Download.

Important limits:

• Maximum of 250,000 records per download.
• Export formats:
• CSV.
• JSON.

Retention is subject to Microsoft Entra ID log retention policies.

Additional entry points to sign-in data

Sign-in data is also accessible from:

• Identity Protection.
• User profiles.
• Group views.
• Enterprise application views.

Identity Protection sign-in insights

Identity Protection provides:

• Weekly sign-in aggregations.
• A default 30-day view.
• Risk-focused sign-in analysis.

Selecting a day reveals:

• User.
• Application.
• Sign-in status.
• MFA status.

IP address location caveat (exam note)

IP-based location data is best-effort only.

Reasons include:

• VPN usage.
• Mobile carrier IP pooling.
• Centralized IP allocation.

Never assume IP location equals physical location.

Application usage reporting

Microsoft Entra ID provides application-centric sign-in analysis.

You can determine:

• Who is using applications.
• Which applications are most used.
• Adoption trends for new applications.

This data is found under:

• Enterprise applications → Overview.

Microsoft 365 activity logs

Microsoft 365 activity logs:

• Share identity-related data with Entra logs.
• Are fully visible only in the Microsoft 365 admin center.

You can also access these logs via:

• Office 365 Management APIs.

Exam-focused takeaway

• Sign-in logs = authentication troubleshooting.
• Audit logs = configuration tracking.
• Provisioning logs = lifecycle automation visibility.
• Identity Protection = risk-based analysis.
• Interactive vs non-interactive sign-ins matter.
• Licensing differences are tested.