What are the identity logs you can stream to an endpoint?
Using Microsoft Entra diagnostic settings, you can route activity logs to several endpoints for long term retention and data insights. You select the logs you want to route, then select the endpoint.
This article describes the logs that you can route to an endpoint with Microsoft Entra diagnostic settings.
Log streaming requirements and options
Setting up an endpoint, such as an event hub or storage account, might require different roles and licenses. To create or edit a new diagnostic setting, you need a user who's a Security Administrator for the Microsoft Entra tenant.
To help decide which log routing option is best for you, see How to access activity logs. The overall process and requirements for each endpoint type are covered in the following articles:
- Send logs to a Log Analytics workspace to integrate with Azure Monitor logs
- Archive logs to a storage account
- Stream logs to an event hub
Activity log options
The following logs can be routed to an endpoint for storage, analysis, or monitoring.
Audit logs
The AuditLogs
report capture changes to applications, groups, users, and licenses in your Microsoft Entra tenant. Once you routed your audit logs, you can filter or analyze by date/time, the service that logged the event, and who made the change. For more information, see Audit logs.
Sign-in logs
The SignInLogs
send the interactive sign-in logs, which are logs generated by your users signing in. Sign-in logs are generated when users provide their username and password on a Microsoft Entra sign-in screen or when they pass an MFA challenge. For more information, see Interactive user sign-ins.
Non-interactive sign-in logs
The NonInteractiveUserSIgnInLogs
are sign-ins done on behalf of a user, such as by a client app. The device or client uses a token or code to authenticate or access a resource on behalf of a user. For more information, see Non-interactive user sign-ins.
Service principal sign-in logs
If you need to review sign-in activity for apps or service principals, the ServicePrincipalSignInLogs
might be a good option. In these scenarios, certificates or client secrets are used for authentication. For more information, see Service principal sign-ins.
Managed identity sign-in logs
The ManagedIdentitySignInLogs
provide similar insights as the service principal sign-in logs, but for managed identities, where Azure manages the secrets. For more information, see Managed identity sign-ins.
AD FS sign-in logs
Sign-in activity for Active Directory Federated Services (AD FS) applications are captured in this Usage and insight reports. You can export the ADFSSignInLogs
report to monitor sign-in activity for AD FS applications. For more information, see AD FS sign-in logs.
Microsoft Graph activity logs
The MicrosoftGraphActivityLogs
provide administrators full visibility into all HTTP requests accessing your tenant's resources through the Microsoft Graph API. You can use these logs to identify activities that a compromised user account conducted in your tenant or to investigate problematic or unexpected behaviors for client applications, such as extreme call volumes. Route these logs to the same Log Analytics workspace with SignInLogs
to cross-reference details of token requests for sign-in logs. For more information, see Access Microsoft Graph activity logs.
Remote network health logs
The RemoteNetworkHealthLogs
provide insights into the health of your remote network configured through Global Secure Access. Selecting this option doesn't add new logs to your workspace unless your organization is using Microsoft Entra Internet Access and Microsoft Entra Private Access to secure access to your corporate resources.
Custom security attribute audit logs
The CustomSecurityAttributeAuditLogs
are configured in the Custom security attributes section of diagnostic settings. These logs capture changes to custom security attributes in your Microsoft Entra tenant. To view these logs in the Microsoft Entra audit logs, you need the Attribute Log Reader role. To route these logs to an endpoint, you need the Attribute Log Administrator role and the Security Administrator.