When an organization experiences a security scare or a suspected compromised credential, the first place to look is the Microsoft Entra ID sign-in logs. This tutorial provides a comprehensive guide on exactly where to find and navigate these logs within the admin center and Azure Portal.
Table of Contents
Microsoft Entra ID Sign-In Logs Where to Find
Prerequisites: Permissions and Licensing Requirements
Before attempting to access Microsoft Entra ID sign-in logs, you must ensure that your administrative user account possesses the necessary authorization levels and license tiers. Identity data is highly sensitive, and Microsoft enforces strict role-based access control (RBAC) boundaries over who can view it.
Required Administrative Directory Roles
You do not need full Global Administrator rights to view identity telemetry. To implement the principle of least privilege, assign one of these specialized security roles:
- Security Reader: Allows view-only access to sign-in logs, security alerts, and conditional access configurations. Excellent for junior analysts or auditing teams.
- Security Administrator: Provides full read and write access to security telemetry, identity protection policies, and sign-in metrics.
- Global Reader: Provides sweeping, view-only access to all configuration states and monitoring dashboards across the entire Microsoft 365 tenant.
Licensing Thresholds and Retention Boundaries
While basic login data is available across all license types, the depth of details and log history retention windows change drastically depending on your Microsoft Entra tier.
| License Tier | Retention Window | Advanced Filtering & Telemetry Features |
| Microsoft Entra ID Free | 7 Days | Basic interactive user logs only; lacks advanced conditional access context. |
| Microsoft Entra ID P1 | 30 Days | Full access to non-interactive, service principal, and managed identity tracking. |
| Microsoft Entra ID P2 | 30 Days | Includes P1 logging plus advanced Identity Protection risky sign-in correlation analytics. |
Architect’s Strategy Tip: A 30-day default retention window is completely inadequate for compliance standard audits (like SOC 2 or HIPAA), which typically require keeping logs for a year or more. To solve this limitation, navigate to Diagnostic settings in Entra ID and stream your log events to an Azure Log Analytics workspace, Azure Storage account, or an external SIEM tool like Microsoft Sentinel for long-term archiving.
Step-by-Step Tutorial: Where to Find Entra ID Sign-In Logs
Let’s walk through the exact portal sequence required to locate the primary tracking dashboards inside the Microsoft cloud administration interface.
Approach- 1: Using Microsoft Admin Center
Open your preferred web browser and go to the centralized Microsoft Entra admin center directly at entra.microsoft.com. Log in using your corporate administrative credentials.
Step 2: Accessing the Monitoring and Health Module
Once the dashboard completely loads, look at the left-hand navigation column. Locate and click on the Entra ID dropdown menu to expand the core management options. Scroll down until you find the Monitoring & health section, then click on it to open the operational monitoring sub-menu. Check out the screenshot below for your reference.
Step 3: Selecting the Sign-In Logs Canvas
Inside the expanded Monitoring menu, click on Sign-in logs. The browser will load the primary logging workspace. By default, the interface will display all interactive user sign-in events generated across your tenant during the past 24 hours. Check out the above screenshot for reference.
Deciphering the Four Log Categories
Once you land on the dashboard workspace, you will notice four distinct tabs arrayed across the top of the logging table grid. Microsoft categorizes sign-ins based on the type of identity entity making the connection request.
- User sign-ins (interactive): Traditional logins where a human user provides a credential string, completes an MFA challenge, or interacts directly with a browser dialog screen. Think of employees checking email or logging into a corporate intranet.
- User sign-ins (non-interactive): Background authentications executed by client applications on behalf of a user. For instance, when an employee’s Outlook mobile app refreshes its inbox cache in the background using a previously acquired refresh token, it registers as a non-interactive event.
- Service principal sign-ins: Authentications initiated by automated cloud applications, security daemons, or third-party integrations that do not involve a human user. Security teams monitor this tab to track the behavior of local scripts and background APIs.
- Managed identity sign-ins: Log events for cloud resources managed entirely by Azure. When an Azure Virtual Machine securely communicates with an Azure Key Vault using a system-assigned credential, Entra ID tracks that interaction here, eliminating the need for developer-managed secrets.
Approach-2: Using Azure Portal
- Log in to the Azure Portal.
- In the top universal search bar, type
Microsoft Entra ID(orAzure Active Directory) and select it from the services dropdown. - Once the main Entra overview canvas loads, focus on the left-hand navigation pane.
- Scroll down to the Monitoring category block, expand it, and click on Sign-in logs. Check out the screenshots below for your reference.
Advanced Filtering and Forensic Analysis
A high-volume production tenant can easily generate millions of sign-in events every single day. If you are searching for a specific failed login attempt made by a field engineer, searching through raw table data row-by-row is impossible. You must master the filtration layer to isolate suspicious events.
Adding Diagnostic Filter Attributes
Directly above the log table, click the Add filters button. This allows you to append precise search conditions to narrow your scope:
- User: Target a single person’s email address (e.g.,
marcus.vance@company.com) to audit their entire access history. - Status: Filter strictly by Failure to isolate broken connections, misconfigured passwords, or active brute-force password-spraying attacks.
- IP Address: Input a specific public IP address to see if an unknown device is attempting to gain unauthorized access to your cloud assets.
- Application: Filter down to specific software endpoints, such as checking logins exclusively for Azure Portal or SharePoint Online.
Dissecting a Single Event Record
Clicking on any individual log row opens a comprehensive side panel packed with diagnostic tabs. As a security investigator, you must analyze these fields closely:
[Basic Info: Request ID, Correlation ID, Exact Timestamp, Public IP, Geolocation Location]
↓
[Location & Device: Operating System, Web Browser Type, Device Compliance Status]
↓
[Authentication Details: Exact Password Used, Single-Factor vs. MFA Validation Method]
↓
[Conditional Access: Audit Trail of Policies that Evaluated, Blocked, or Allowed the Session]
Reviewing the Authentication Details tab tells you exactly how a login attempt succeeded or failed. If you see an event where the primary password check passed but the sign-in ultimately failed because the user ignored or rejected an authenticator app push notification, you have discovered an active target for an MFA fatigue attack.
Video Tutorial
Summary
Locating and analyzing your Microsoft Entra ID sign-in logs is a fundamental requirement for maintaining a resilient, secure enterprise environment. By mastering the navigation flow under the Monitoring and health tab, understanding the four distinct logging categories, and utilizing precise search filters, you gain the administrative authority needed to protect your corporate data assets and easily troubleshoot connection issues.
You may also like the following articles:
- Microsoft Entra ID Tutorial For Beginners
- What are the main benefits of using Microsoft Entra ID
- How To Get Microsoft Entra ID
- How To Setup Microsoft Entra ID
I am Rajkishore, and I am a Microsoft Certified IT Consultant. I have over 14 years of experience in Microsoft Azure and AWS, with good experience in Azure Functions, Storage, Virtual Machines, Logic Apps, PowerShell Commands, CLI Commands, Machine Learning, AI, Azure Cognitive Services, DevOps, etc. Not only that, I do have good real-time experience in designing and developing cloud-native data integrations on Azure or AWS, etc. I hope you will learn from these practical Azure tutorials. Read more.
