| title | Sign-in logs in Microsoft Entra ID |
|---|---|
| description | Learn about the different types of sign-in logs that are available in Microsoft Entra monitoring and health. |
| ms.topic | concept-article |
| ms.date | 11/07/2025 |
| ms.reviewer | egreenberg14 |
| ms.custom | sfi-image-nochange,agent-id-ignite |
Microsoft Entra logs all sign-ins into a Microsoft Entra tenant, which includes your internal apps and resources. As an IT administrator, you need to know what the sign-in log details mean, so that you can interpret the log values correctly.
Reviewing sign-in errors and patterns provides valuable insight into how your users access applications and services. The sign-in logs provided by Microsoft Entra ID are a powerful type of activity log that you can analyze. This article describes several key aspects of the sign-in logs.
Three other activity logs are also available to help monitor the health of your tenant:
- Audit – Information about changes applied to your tenant, such as users and group management or updates applied to your tenant’s resources.
- Sign-ups (preview) - For external tenants only, information about all self-service sign-up attempts, including successful sign-ups and failed attempts.
- Provisioning – Activities performed by a provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.
You can use the sign-in logs to answer questions such as:
- How many users signed into a particular application this week?
- How many failed sign-in attempts occurred in the last 24 hours?
- Are users signing in from specific browsers or operating systems?
- Which of my Azure resources were accessed by managed identities and service principals?
You can also describe the activity associated with a sign-in request by identifying the following details:
- Who – The identity (User) performing the sign-in.
- How – The client (Application) used for the sign-in.
- What – The target (Resource) accessed by the identity.
Note
Entries in the sign-in logs are system generated and can't be changed or deleted.
There are several ways to access the logs, depending on your needs. For more information, see How to access activity logs.
To view the sign-in logs from the Microsoft Entra admin center:
- Sign in to the Microsoft Entra admin center as at least a Reports Reader.
- Browse to Entra ID > Monitoring & health > Sign-in logs.
To more effectively use the sign-in logs in the Microsoft Entra admin center, adjust the filters to only view a specific set of logs. For more information, see Filter sign-in logs.
There are four types of logs in the sign-in logs preview:
- Interactive user sign-ins
- Non-interactive user sign-ins
- Service principal sign-ins
- Managed identity sign-ins
The legacy sign-in logs experience only includes interactive user sign-ins.
Agent activity logs are a new log type in our audit and sign-in logs to help you monitor agent related activities. IT administrators can view and manage agent activity directly in the Microsoft Entra admin center and using the Microsoft Graph API. For more information, see Microsoft Entra Agent ID logs.
Sign-in data is used by several services in Azure and Microsoft Entra to monitor risky sign-ins, provide insight into application usage, and more.
Sign-in log data visualization that relates to risky sign-ins is available in the Microsoft Entra ID Protection overview, which uses the following data:
- Risky users
- Risky user sign-ins
- Risky workload identities
For more information about the Microsoft Entra ID Protection tools, see the Microsoft Entra ID Protection overview.
To view application-specific sign-in data, browse to Microsoft Entra ID > Monitoring & health > Usage & insights. These reports provide a closer look at sign-ins for Microsoft Entra application activity and AD FS application activity. For more information, see Microsoft Entra Usage & insights.
:::image type="content" source="media/concept-sign-ins/usage-insights.png" alt-text="Screenshot of the Usage & insights report." lightbox="media/concept-sign-ins/usage-insights-expanded.png":::
There are several reports available in Usage & insights. Some of these reports are in preview.
- Microsoft Entra application activity (preview)
- AD FS application activity
- Authentication methods activity
- Service principal sign-in activity
- Application credential activity
You can view Microsoft 365 activity logs from the Microsoft 365 admin center. Microsoft 365 activity and Microsoft Entra activity logs share a significant number of directory resources. Only the Microsoft 365 admin center provides a full view of the Microsoft 365 activity logs.
You can access the Microsoft 365 activity logs programmatically by using the Office 365 Management APIs.