Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
1st party to 1st party service principal sign-in logs.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Audit, Security |
| Solutions | LogManagement |
| Basic log | Yes |
| Ingestion-time transformation | No |
| Sample Queries | - |
Columns
| Column | Type | Description |
|---|---|---|
| AppId | string | Unique GUID representing the app ID in the Azure Active Directory |
| AppOwnerTenantId | string | The tenant identifier of the owner of the application in Azure Active Directory. |
| _BilledSize | real | The record size in bytes |
| Category | string | Category of the sign-in event |
| CorrelationId | string | ID to provide sign-in trail |
| CreatedDateTime | datetime | Datetime of the sign-in activity. |
| DurationMs | long | The duration of the operation in milliseconds |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| OperationName | string | For sign-ins, this value is always Sign-in activity |
| OperationVersion | string | The REST API version that's requested by the client |
| ResourceDisplayName | string | Name of the resource that was authenticated to |
| ResourceGroup | string | Resource group for the logs |
| ResourceIdentity | string | ID of the resource that was authenticated to |
| ResourceOwnerTenantId | string | The tenant ID of the owner of the resource being authenticated to |
| ResourceServicePrincipalId | string | Service Principal Id of the resource |
| ResultSignature | string | The result of the sign-in. Can be either success or failure |
| ServicePrincipalCredentialKeyId | string | Key id of the service principal that initiated the sign-in |
| ServicePrincipalCredentialThumbprint | string | Thumbprint of the service principal that initiated the sign-in |
| ServicePrincipalId | string | ID of the service principal who initiated the sign-in |
| ServicePrincipalName | string | Service Principal Name of the service principal who initiated the sign-in |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The date and time of the event in UTC |
| Type | string | For sign-ins, this value is always MicrosoftServicePrincipalSignInLogs |
| UniqueTokenIdentifier | string | Unique token identifier for the request |