How to access activity logs in Microsoft Entra ID
The data collected in your Microsoft Entra logs enables you to assess many aspects of your Microsoft Entra tenant. To cover a broad range of scenarios, Microsoft Entra ID provides you with several options to access your activity log data. As an IT administrator, you need to understand the intended uses cases for these options, so that you can select the right access method for your scenario.
You can access Microsoft Entra activity logs and reports using the following methods:
- Stream activity logs to an event hub to integrate with other tools
- Access activity logs through the Microsoft Graph API
- Integrate activity logs with Azure Monitor logs
- Monitor activity in real-time with Microsoft Sentinel
- View activity logs and reports in the Azure portal
- Export activity logs for storage and queries
Each of these methods provides you with capabilities that might align with certain scenarios. This article describes those scenarios, including recommendations and details about related reports that use the data in the activity logs. Explore the options in this article to learn about those scenarios so you can choose the right method.
Prerequisites
- A working Microsoft Entra tenant with the appropriate Microsoft Entra license associated with it.
- For a full list of license requirements, see Microsoft Entra monitoring and health licensing.
- Audit logs are available for features that you have licensed.
- Reports Reader is the least privileged role required to access the activity logs.
- Security Administrator is the least privileged role required to configure diagnostic settings.
- To consent to the required permissions to view logs with Microsoft Graph, you need the Privileged Role Administrator.
- For a full list of roles, see Least privileged role by task.
The required licenses vary based on the monitoring and health capability.
Capability | Microsoft Entra ID Free | Microsoft Entra ID P1 or P2 / Microsoft Entra Suite |
---|---|---|
Audit logs | Yes | Yes |
Sign-in logs | Yes | Yes |
Custom security attributes | Yes | Yes |
Health | No | Yes |
Microsoft Graph activity logs | No | Yes |
Usage and insights | No | Yes |
View logs through the Microsoft Entra admin center
For one-off investigations with a limited scope, the Microsoft Entra admin center is often the easiest way to find the data you need. The user interface for each of these reports provides you with filter options enabling you to find the entries you need to solve your scenario.
The data captured in the Microsoft Entra activity logs are used in many reports and services. You can review the sign-in, audit logs for one-off scenarios or use reports to look at patterns and trends. Microsoft Entra activity logs also populate Usage and insights reports, which provide usage details for your tenant's applications.
Recommended uses
The reports available in the Azure portal provide a wide range of capabilities to monitor activities and usage in your tenant. The following list of uses and scenarios isn't exhaustive, so explore the reports for your needs.
- Research a user's sign-in activity or track an application's usage.
- Review details around group name changes, device registration, and password resets with audit logs.
- Review the sign-in success rate in the Microsoft Entra application activity (preview) report from Usage and insights to ensure that your users can access the applications in use in your tenant.
- Compare the different authentication methods your users prefer with the Authentication methods report from Usage and insights.
Quick steps
Use the following basic steps to access the reports in the Microsoft Entra admin center.
- Browse to Identity > Monitoring & health > Audit logs/Sign-in logs.
- Adjust the filter according to your needs.
Audit logs can be accessed directly from the area of the Microsoft Entra admin center where you're working. For example, if you're in the Groups or Licenses section of Microsoft Entra ID, you can access the audit logs for those specific activities directly from that area. When you access the audit logs in this way, the filter categories are automatically set. If you're in Groups, the audit log filter category is set to GroupManagement.
Stream logs to an event hub to integrate with SIEM tools
Streaming your activity logs to an event hub is required to integrate your activity logs with Security Information and Event Management (SIEM) tools, such as Splunk and SumoLogic. Before you can stream logs to an event hub, you need to set up an Event Hubs namespace and an event hub in your Azure subscription.
Recommended uses
The SIEM tools you can integrate with your event hub can provide analysis and monitoring capabilities. If you're already using these tools to ingest data from other sources, you can stream your identity data for more comprehensive analysis and monitoring. We recommend streaming your activity logs to an event hub for the following types of scenarios:
- You need a big data streaming platform and event ingestion service to receive and process millions of events per second.
- You're looking to transform and store data by using a real-time analytics provider or batching/storage adapters.
Quick steps
- Sign in to the Microsoft Entra admin center as at least a Security Administrator.
- Create an Event Hubs namespace and event hub.
- Browse to Identity > Monitoring & health > Diagnostic settings.
- Choose the logs you want to stream, select the Stream to an event hub option, and complete the fields.
Your independent security vendor should provide you with instructions on how to ingest data from Azure Event Hubs into their tool.
Integrate logs with Azure Monitor logs
With the Azure Monitor logs integration, you can enable rich visualizations, monitoring, and alerting on the connected data. Log Analytics provides enhanced query and analysis capabilities for Microsoft Entra activity logs. To integrate Microsoft Entra activity logs with Azure Monitor logs, you need a Log Analytics workspace. From there, you can run queries through Log Analytics.
Recommended uses
Integrating Microsoft Entra logs with Azure Monitor logs provides a centralized location for querying logs. We recommend integrating logs with Azure Monitor for the following types of scenarios:
- Compare Microsoft Entra sign-in logs with logs published by other Azure services.
- Correlate sign-in logs against Azure Application insights.
- Query logs using specific search parameters.
Quick steps
- Sign in to the Microsoft Entra admin center as at least a Security Administrator.
- Create a Log Analytics workspace.
- Browse to Identity > Monitoring & health > Diagnostic settings.
- Choose the logs you want to stream, select the Send to Log Analytics workspace option, and complete the fields.
- Browse to Identity > Monitoring & health > Log Analytics and begin querying the data.
Monitor events with Microsoft Sentinel
Sending sign-in and audit logs to Microsoft Sentinel provides your security operations center with near real-time security detection and threat hunting. The term threat hunting refers to a proactive approach to improve the security posture of your environment. As opposed to classic protection, threat hunting tries to proactively identify potential threats that might harm your system. Your activity log data might be part of your threat hunting solution.
Recommended uses
We recommend using the real-time security detection capabilities of Microsoft Sentinel if your organization needs security analytics and threat intelligence. Use Microsoft Sentinel if you need to:
- Collect security data across your enterprise.
- Detect threats with vast threat intelligence.
- Investigate critical incidents guided by AI.
- Respond rapidly and automate protection.
Quick steps
- Learn about the prerequisites, roles, and permissions.
- Estimate potential costs.
- Onboard to Microsoft Sentinel.
- Collect Microsoft Entra data.
- Begin hunting for threats.
Export logs for storage and queries
The right solution for your long-term storage depends on your budget and what you plan on doing with the data. You've got three options:
- Archive logs to Azure Storage
- Download logs for manual storage
- Integrate logs with Azure Monitor logs
Azure Storage is the right solution if you aren't planning on querying your data often. For more information, see Archive directory logs to a storage account.
If you plan to query the logs often to run reports or perform analysis on the stored logs, you should integrate your data with Azure Monitor logs.
If your budget is tight, and you need a cheap method to create a long-term backup of your activity logs, you can manually download your logs. The user interface of the activity logs in the portal provides you with an option to download the data as JSON or CSV. One trade off of the manual download is that it requires more manual interaction. If you're looking for a more professional solution, use either Azure Storage or Azure Monitor.
Recommended uses
We recommend setting up a storage account to archive your activity logs for those governance and compliance scenarios where long-term storage is required.
If you want to long-term storage and you want to run queries against the data, review the section on integrating your activity logs with Azure Monitor Logs.
We recommend manually downloading and storing your activity logs if you have budgetary constraints.
Quick steps
Use the following basic steps to archive or download your activity logs.
- Sign in to the Microsoft Entra admin center as at least a Security Administrator.
- Create a storage account.
- Browse to Identity > Monitoring & health > Diagnostic settings.
- Choose the logs you want to stream, select the Archive to a storage account option, and complete the fields.