Microsoft Entra ID, formerly known as Azure Active Directory (Azure AD), is a panoramic cloud-based identity and access management (IAM) solution from Microsoft. It serves as the central hub for supervising user identities, access controls, and authentication within your organization’s environment. Beyond user provisioning and single sign-on (SSO), Entra ID provides robust auditing capabilities that permit you to monitor user activity and track sign-in attempts. By extracting this important data via log exports, one can guarantee regulatory compliance, boost security posture, and carry out in-depth research.
This guide delves into the process of exporting user activity and sign-in logs from Microsoft Entra ID, providing IT security professionals and administrators with the knowledge to leverage these functionalities effectively. Gaining granular insight into user behavior can aid you to proactively address potential security threats and maintain a secure IT infrastructure.
The following are some specific use cases that exemplify the benefits of exporting user activity and sign-in logs:
- Security analyst investigating suspicious login attempts: Analyzing exported logs can help analysts to identify login attempts originating from unusual locations or using unrecognized devices. This helps examine potential compromised accounts or targeted attacks.
- IT helpdesk troubleshooting user sign-in issues: User reports regarding sign-in errors received by the help desks agents can be used to review exported logs for failed attempts. This information helps pinpoint the root cause of the issue (e.g., incorrect credentials, multi-factor authentication problems) and expedite resolution.
- Compliance officer preparing for an audit: Exported logs serve as verifiable records of user activity, demonstrating adherence to industry regulations and internal security policies.
Prerequisites:
- Permissions: Exporting specific log types might require elevated administrative permissions within Entra Identity.
- Data security: Exported logs often contain sensitive user information. Ensure that they are stored securely and access is restricted to authorized personnel.
- Data retention: Establish a data retention policy to determine how long you need to store exported logs before securely disposing of them.
In the context of exporting user activity and sign-in logs in Microsoft Entra Identity, logs are electronic records that capture a chronological sequence of events and activities within the system. These events primarily focus on user interactions and system operations.
Entra ID provides access to three primary log categories relevant for user activity and sign-in monitoring:
- Sign-in logs- Capture details about user sign-in attempts, including:
- User identity (username, email)
- Sign-in time and location (IP address)
- Sign-in status (success/failure)
- Client application used for sign-in
- Audit logs- Record administrative actions performed within Entra ID, such as:
- User creation, modification, or deletion
- Group management activities
- Permission changes
- Directory synchronization events
- Provisioning logs- Track activities related to user provisioning from external identity sources.
Here’s a breakdown of what logs contain in this specific scenario:
- User actions: Any attempt by a user to sign in, access an application, or perform an action within an application is recorded in the logs.
- System activity: Internal system processes related to user authentication, authorization, and resource access are also logged.
- Metadata: Additional details like timestamps, locations (when available), and the specific application or resource involved are included to provide context for the logged events.
Biometric authentication strengthens security, but it’s still crucial to track user activity and sign-in logs to monitor for suspicious behavior and maintain a complete audit trail for security purposes. This helps identify unauthorized access attempts and potential security breaches early on.
Entra ID provides two main methods for tracking user activity and sign-in logs:
Exporting logs for analysis:
- Manual download: (STEPS)
- Navigate to the desired log category (Sign-in logs, Audit logs, or Provisioning logs) within the Entra ID admin center.
- Select a specific timeframe for the data export.
- Download the logs in a consumable format (typically CSV).
- Diagnostic settings with Destination integration:
- Configure diagnostic settings to continuously stream logs to a designated destination like:
- Azure Monitor Log Analytics workspace
- Azure Event Hub
- An external SIEM (Security Information and Event Management) solution
- Configure diagnostic settings to continuously stream logs to a designated destination like:
This approach facilitates real-time analysis and integration with broader security monitoring tools.
Since exported logs (electronic records) contain information extracted from various security processes, they serve as a one-stop destination to gain detailed audit trail of events related to user access, permission changes, and security configurations.
Leveraging exported logs
Extracted user activity and sign-in logs can be utilized for different purposes:
- Security threat detection: Analyze logs to identify suspicious login attempts, potential malware activity, or unusual access patterns.
- Investigating security incidents: Exports logs to provide valuable forensic data for investigating security breaches or unauthorized access attempts.
- User behavior monitoring: Tracks user activity trends to identify potential exploit of resources or deviations from standard access patterns.
- Compliance reporting: To prove compliance with internal policies and security requirements, user activity and access audits are tracked.
Log/Report: Capture detailed information about user activities, including sign-in attempts (successful or failed), access attempts to resources, and other activities performed within the system. These logs serve as a raw data record of user behavior and generated based on log data. They offer an amalgamated view of user activity and sign-ins, often represented using filters, charts, and visualizations which ultimately help you inspect trends, identify potential anomalies, and gain insights into user behavior patterns.
Roles: Control what users can see and do, such as managing user accounts, resetting passwords, or accessing specific applications. Permissions associated with user activity and sign-in logs can be controlled through roles. For instance, a security administrator role might have access to view all user sign-in logs, while a help desk role might only see a limited view of recent login attempts.
Licenses in Entra ID: Determine the features and functionalities available to users. Certain licenses might be required to access specific reporting or auditing capabilities related to user activity and sign-in logs.
|
Log / Report |
Roles |
Licenses |
|
Audit |
Reports Reader Security Reader Security Administrator Global Reader |
All editions of Microsoft Entra ID |
|
Sign-ins |
Reports Reader Security Reader Security Administrator Global Reader |
All editions of Microsoft Entra ID |
|
Provisioning |
Reports Reader Security Reader Security Administrator Global Reader Security Operator Application Administrator Cloud App Administrator |
Microsoft Entra ID P1 or P2 |
|
Custom security attribute audit logs* |
Attribute Log Administrator Attribute Log Reader |
All editions of Microsoft Entra ID |
|
Usage and insights |
Reports Reader Security Reader Security Administrator |
Microsoft Entra ID P1 or P2 |
|
Identity Protection** |
Security Administrator Security Operator Security Reader Global Reader |
Microsoft Entra ID Free Microsoft 365 Apps Microsoft Entra ID P1 or P2 |
|
Microsoft Graph activity logs |
Security Administrator Permissions to access data in the corresponding log destination |
Microsoft Entra ID P1 or P2 |
Optimizing log exports
- Define a retention policy: Based on the security and regulatory requirements of your firm, decide how long to keep exported logs.
- Filter log data: For effective analysis, use the filtering features in Entra ID or your destination platform to concentrate on particular user actions or time periods.
To accelerate the log export procedure, especially for requirements involving continuous monitoring, take scripting or automation solutions into consideration.
