How to customize and filter identity activity logs
Sign-in logs are a commonly used tool to troubleshoot user access issues and investigate risky sign-in activity. Audit logs collect every logged event in Microsoft Entra ID and can be used to investigate changes to your environment. There are over 30 columns you can choose from to customize your view of the sign-in logs in the Microsoft Entra admin center. Audit logs can also be customized and filtered for your needs.
This article shows you how to customize the columns and then filter the logs to find the information you need more efficiently.
Prerequisites
The required roles and licenses vary based on the report. Separate permissions are required to access monitoring and health data in Microsoft Graph. We recommend using a role with least privilege access to align with the Zero Trust guidance. For a full list of roles, see Least privileged roles by task.
Log / Report | Roles | Licenses |
---|---|---|
Audit logs | Reports Reader Security Reader Security Administrator |
All editions of Microsoft Entra ID |
Sign-in logs | Reports Reader Security Reader Security Administrator |
All editions of Microsoft Entra ID |
Custom security attribute audit logs* | Attribute Log Administrator Attribute Log Reader |
All editions of Microsoft Entra ID |
Health | Reports Reader Security Reader Helpdesk Administrator |
Microsoft Entra ID P1 or P2 |
Microsoft Graph activity logs | Security Administrator Permissions to access data in the corresponding log destination |
Microsoft Entra ID P1 or P2 |
Usage and insights | Reports Reader Security Reader Security Administrator |
Microsoft Entra ID P1 or P2 |
*Viewing the custom security attributes in the audit logs or creating diagnostic settings for custom security attributes requires one of the Attribute Log roles. You also need the appropriate role to view the standard audit logs.
How to access the activity logs in the Microsoft Entra admin center
You can always access your own sign-in history at https://mysignins.windowsazure.cn. You can also access the sign-in logs from Users and Enterprise applications in Microsoft Entra ID.
Tip
Steps in this article might vary slightly based on the portal you start from.
- Sign in to the Microsoft Entra admin center as at least a Reports Reader.
- Browse to Identity > Monitoring & health > Audit logs/Sign-in logs.
With the information in the Microsoft Entra audit logs, you can access all records of system activities for compliance purposes. Audit logs can be accessed from the Monitoring and health section of Microsoft Entra ID, where you can sort and filter on every category and activity. You can also access audit logs in the area of the admin center for the service you're investigating.
For example, if you're looking into changes to Microsoft Entra groups, you can access the Audit logs from Microsoft Entra ID > Groups. When you access the audit logs from the service, the filter is automatically adjusted according to the service.
Customize the layout of the audit logs
You can customize the columns in the audit logs to view only the information you need. The Service, Category and Activity columns are related to each other, so these columns should always be visible.
Filter the audit logs
When you filter the logs by Service, the Category, and Activity details automatically change. In some cases, there might only be one Category or Activity. For a detailed table of all potential combinations of these details, see Audit activities.
Service: Defaults to all available services, but you can filter the list to one or more by selecting an option from the dropdown list.
Category: Defaults to all categories, but can be filtered to view the category of activity, such as changing a policy or activating an eligible Microsoft Entra role.
Activity: Based on the category and activity resource type selection you make. You can select a specific activity you want to see or choose all.
You can get the list of all Audit Activities using the Microsoft Graph API:
https://graph.chinacloudapi.cn/<tenantdomain>/activities/auditActivityTypesV2?api-version=beta
Status: Allows you to look at result based on if the activity was a success or failure.
Target: Allows you to search for the target or recipient of an activity. Search by the first few letters of a name or user principal name (UPN). The target name and UPN are case-sensitive.
Initiated by: Allows you to search by who initiated the activity using the first few letters of their name or UPN. The name and UPN are case-sensitive.
Date range: Enables to you to define a timeframe for the returned data. You can search the last 7 days, 24 hours, or a custom range. When you select a custom timeframe, you can configure a start time and an end time.