How to customize and filter identity activity logs

Sign-in logs are a commonly used tool to troubleshoot user access issues and investigate risky sign-in activity. Audit logs collect every logged event in Microsoft Entra ID and can be used to investigate changes to your environment. There are over 30 columns you can choose from to customize your view of the sign-in logs in the Microsoft Entra admin center. Audit logs can also be customized and filtered for your needs.

This article shows you how to customize the columns and then filter the logs to find the information you need more efficiently.

Prerequisites

How to access the activity logs in the Microsoft Entra admin center

You can always access your own sign-in history at https://mysignins.windowsazure.cn. You can also access the sign-in logs from Users and Enterprise applications in Microsoft Entra ID.

Tip

Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least a Reports Reader.
  2. Browse to Identity > Monitoring & health > Audit logs/Sign-in logs.

With the information in the Microsoft Entra audit logs, you can access all records of system activities for compliance purposes. Audit logs can be accessed from the Monitoring and health section of Microsoft Entra ID, where you can sort and filter on every category and activity. You can also access audit logs in the area of the admin center for the service you're investigating.

Screenshot of the audit logs option on the side menu.

For example, if you're looking into changes to Microsoft Entra groups, you can access the Audit logs from Microsoft Entra ID > Groups. When you access the audit logs from the service, the filter is automatically adjusted according to the service.

Screenshot of the audit logs option from the Groups menu.

Customize the layout of the audit logs

You can customize the columns in the audit logs to view only the information you need. The Service, Category, and Activity columns are related to each other, so these columns should always be visible.

Screenshot of the Columns button on the audit logs.

Filter the audit logs

When you filter the logs by Service, the Category, and Activity details automatically change. In some cases, there might only be one Category or Activity. For a detailed table of all potential combinations of these details, see Audit activities.

Screenshot of the audit log filter with Conditional Access as the service.

  • Service: Defaults to all available services, but you can filter the list to one or more by selecting an option from the dropdown list.

  • Category: Defaults to all categories, but can be filtered to view the category of activity, such as changing a policy or activating an eligible Microsoft Entra role.

  • Activity: Based on the category and activity resource type selection you make. You can select a specific activity you want to see or choose all.

    You can get the list of all Audit Activities using the Microsoft Graph API: https://graph.chinacloudapi.cn/<tenantdomain>/activities/auditActivityTypesV2?api-version=beta

  • Status: Allows you to look at result based on if the activity was a success or failure.

  • Target: Allows you to search for the target or recipient of an activity. Search by the first few letters of a name or user principal name (UPN). The target name and UPN are case-sensitive.

  • Initiated by: Allows you to search by who initiated the activity using the first few letters of their name or UPN. The name and UPN are case-sensitive.

  • Date range: Enables to you to define a timeframe for the returned data. You can search the last 7 days, 24 hours, or a custom range. When you select a custom timeframe, you can configure a start time and an end time.