What are the identity logs you can stream to an endpoint?

  • Article

Using Microsoft Entra diagnostic settings, you can route activity logs to several endpoints for long term retention and data insights. You select the logs you want to route, then select the endpoint.

This article describes the logs that you can route to an endpoint with Microsoft Entra diagnostic settings.

Log streaming requirements and options

Setting up an endpoint, such as an event hub or storage account, might require different roles and licenses. To create or edit a new diagnostic setting, you need a user who's a Security Administrator for the Microsoft Entra tenant.

To help decide which log routing option is best for you, see How to access activity logs. The overall process and requirements for each endpoint type are covered in the following articles:

Activity log options

The following logs can be routed to an endpoint for storage, analysis, or monitoring.

Audit logs

The AuditLogs report capture changes to applications, groups, users, and licenses in your Microsoft Entra tenant. Once you routed your audit logs, you can filter or analyze by date/time, the service that logged the event, and who made the change. For more information, see Audit logs.

Sign-in logs

The SignInLogs send the interactive sign-in logs, which are logs generated by your users signing in. Sign-in logs are generated when users provide their username and password on a Microsoft Entra sign-in screen or when they pass an MFA challenge. For more information, see Interactive user sign-ins.

Non-interactive sign-in logs

The NonInteractiveUserSIgnInLogs are sign-ins done on behalf of a user, such as by a client app. The device or client uses a token or code to authenticate or access a resource on behalf of a user. For more information, see Non-interactive user sign-ins.

Service principal sign-in logs

If you need to review sign-in activity for apps or service principals, the ServicePrincipalSignInLogs might be a good option. In these scenarios, certificates or client secrets are used for authentication. For more information, see Service principal sign-ins.

Managed identity sign-in logs

The ManagedIdentitySignInLogs provide similar insights as the service principal sign-in logs, but for managed identities, where Azure manages the secrets. For more information, see Managed identity sign-ins.

AD FS sign-in logs

Sign-in activity for Active Directory Federated Services (AD FS) applications are captured in this Usage and insight reports. You can export the ADFSSignInLogs report to monitor sign-in activity for AD FS applications. For more information, see AD FS sign-in logs.

Microsoft Graph activity logs

The MicrosoftGraphActivityLogs provide administrators full visibility into all HTTP requests accessing your tenant's resources through the Microsoft Graph API. You can use these logs to identify activities that a compromised user account conducted in your tenant or to investigate problematic or unexpected behaviors for client applications, such as extreme call volumes. Route these logs to the same Log Analytics workspace with SignInLogs to cross-reference details of token requests for sign-in logs. For more information, see Access Microsoft Graph activity logs.

Remote network health logs

The RemoteNetworkHealthLogs provide insights into the health of your remote network configured through Global Secure Access. Selecting this option doesn't add new logs to your workspace unless your organization is using Microsoft Entra Internet Access and Microsoft Entra Private Access to secure access to your corporate resources.

Custom security attribute audit logs

The CustomSecurityAttributeAuditLogs are configured in the Custom security attributes section of diagnostic settings. These logs capture changes to custom security attributes in your Microsoft Entra tenant. To view these logs in the Microsoft Entra audit logs, you need the Attribute Log Reader role. To route these logs to an endpoint, you need the Attribute Log Administrator role and the Security Administrator.