Azure Active Directory 门户中的“登录活动”报告Sign-in activity reports in the Azure Active Directory portal

Azure Active Directory (Azure AD) 中的报告体系结构由以下部分组成:The reporting architecture in Azure Active Directory (Azure AD) consists of the following components:

  • 活动Activity
    • 登录 - 有关托管应用程序的使用情况和用户登录活动的信息。Sign-ins - Information about the usage of managed applications and user sign-in activities.
    • 审核日志 - 审核日志 - 有关用户和组管理、托管应用程序和目录活动的系统活动信息。Audit logs - Audit logs provide system activity information about users and group management, managed applications, and directory activities.

本文概述了登录报告。This article gives you an overview of the sign-ins report.

先决条件Prerequisites

谁可以访问该数据?Who can access the data?

  • 具有“安全管理员”、“安全读取者”、“全局读取者”和“报告读取者”角色的用户Users in the Security Administrator, Security Reader, Global Reader, and Report Reader roles
  • 全局管理员Global Administrators
  • 任何用户(非管理员)都可以访问自己的登录活动Any user (non-admins) can access their own sign-ins

访问登录活动需要什么 Azure AD 许可证?What Azure AD license do you need to access sign-in activity?

Azure AD 的所有版本中均提供登录活动报告,也可通过 Microsoft Graph API 访问这些报告。The sign-in activity report is available in all editions of Azure AD and can also be accessed through the Microsoft Graph API.

登录报告Sign-ins report

用户登录报告提供了以下问题的答案:The user sign-ins report provides answers to the following questions:

  • 什么是用户的登录模式?What is the sign-in pattern of a user?
  • 多少用户超过一周都有登录行为?How many users have signed in over a week?
  • 这些登录的状态怎样?What’s the status of these sign-ins?

Azure 门户菜单中,选择“Azure Active Directory”,或从任意页搜索并选择“Azure Active Directory” 。On the Azure portal menu, select Azure Active Directory, or search for and select Azure Active Directory from any page.

选择“Azure Active Directory”Select Azure Active Directory

在“监视” 下,选择“登录” 以打开登录报告Under Monitoring, select Sign-ins to open the Sign-ins report.

登录活动Sign-in activity

某些登录记录最多可能需要两个小时才会显示在门户中。It may take up to two hours for some sign-in records to show up in the portal.

重要

登录报告仅显示“交互式”登录,即用户使用其用户名和密码进行的手动登录 。The sign-ins report only displays the interactive sign-ins, that is, sign-ins where a user manually signs in using their username and password. 登录报告中不会显示服务到服务身份验证等非交互式登录。Non-interactive sign-ins, such as service-to-service authentication, are not displayed in the sign-ins report.

登录日志有一个默认列表视图,用于显示:A sign-ins log has a default list view that shows:

  • 登录日期The sign-in date
  • 相关的用户The related user
  • 用户登录到的应用程序The application the user has signed in to
  • 登录状态The sign-in status
  • 风险检测的状态The status of the risk detection
  • 多重身份验证 (MFA) 要求的状态The status of the multi-factor authentication (MFA) requirement

登录活动Sign-in activity

单击工具栏中的“列”即可自定义列表视图。 You can customize the list view by clicking Columns in the toolbar.

登录活动Sign-in activity

通过“列” 对话框,可以访问可选属性。The Columns dialog gives you access to the selectable attributes. 在登录报告中,对于给定的登录请求,不能将具有多个值的字段作为列。In a sign-in report, you can't have fields that have more than one value for a given sign-in request as column. 例如,“身份验证详细信息”、“条件访问数据”和“网络位置”就是这样的。This is, for example, true for authentication details, conditional access data and network location.

登录活动Sign-in activity

选择列表视图中的某个项可获得更详细的信息。Select an item in the list view to get more detailed information.

登录活动Sign-in activity

备注

客户现在可以通过所有登录报告对条件访问策略进行故障排除。Customers can now troubleshoot Conditional Access policies through all sign-in reports. 通过单击登录记录的“条件访问” 选项卡,客户可以查看条件访问状态,并深入了解应用于登录的策略的详细信息以及每个策略的结果。By clicking on the Conditional Access tab for a sign-in record, customers can review the Conditional Access status and dive into the details of the policies that applied to the sign-in and the result for each policy.

筛选登录活动Filter sign-in activities

首先,将所报告数据的范围缩小到适当的级别。First, narrowing down the reported data to a level that works for you. 接下来,使用充当默认筛选器的日期字段筛选登录数据。Second, filter sign-ins data using date field as default filter. Azure AD 提供了一系列可以设置的其他筛选器:Azure AD provides you with a broad range of additional filters you can set:

登录活动Sign-in activity

请求 ID - 所关注请求的 ID。Request ID - The ID of the request you care about.

用户 - 所关注用户的用户名或用户主体名称 (UPN)。User - The name or the user principal name (UPN) of the user you care about.

应用程序 - 目标应用程序的名称。Application - The name of the target application.

状态 - 所关注的登录状态:Status - The sign-in status you care about:

  • SuccessSuccess

  • 失败Failure

  • 已中断Interrupted

IP 地址 - 用于连接到租户的设备的 IP 地址。IP address - The IP address of the device used to connect to your tenant.

位置 - 从其发起连接的位置:The Location - The location the connection was initiated from:

  • 城市City

  • 省/自治区/直辖市State / Province

  • 国家/地区Country/Region

资源 - 用于登录的服务的名称。Resource - The name of the service used for the sign-in.

资源 ID - 用于登录的服务的 ID。Resource ID - The ID of the service used for the sign-in.

客户端应用 - 用于连接到租户的客户端应用的类型:Client app - The type of the client app used to connect to your tenant:

客户端应用筛选器

名称Name 新式身份验证Modern authentication 说明Description
经验证的 SMTPAuthenticated SMTP 由 POP 和 IMAP 客户端用来发送电子邮件。Used by POP and IMAP client's to send email messages.
自动发现Autodiscover 由 Outlook 和 EAS 客户端用来查找和连接 Exchange Online 中的邮箱。Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.
Exchange ActiveSyncExchange ActiveSync 此筛选器显示尝试 EAS 协议的所有登录尝试。This filter shows all sign-in attempts where the EAS protocol has been attempted.
浏览者Browser 勾选标记 显示用户使用 Web 浏览器进行的所有登录尝试Shows all sign-in attempts from users using web browsers
Exchange ActiveSyncExchange ActiveSync 显示使用客户端应用通过 Exchange ActiceSync 连接到 Exchange Online 的用户进行的所有登录尝试Shows all sign-in attempts from users with client apps using Exchange ActiceSync to connect to Exchange Online
Exchange Online PowerShellExchange Online PowerShell 用于通过远程 PowerShell 连接到 Exchange Online。Used to connect to Exchange Online with remote PowerShell. 如果阻止 Exchange Online PowerShell 的基本身份验证,则需使用 Exchange Online PowerShell 模块进行连接。If you block basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell module to connect. 有关说明,请参阅使用多重身份验证连接到 Exchange Online PowerShellFor instructions, see Connect to Exchange Online PowerShell using multi-factor authentication.
Exchange Web 服务Exchange Web Services Outlook、Outlook for Mac 和第三方应用使用的编程接口。A programming interface that's used by Outlook, Outlook for Mac, and third-party apps.
IMAP4IMAP4 使用 IMAP 检索电子邮件的旧版邮件客户端。A legacy mail client using IMAP to retrieve email.
基于 HTTP 的 MAPIMAPI over HTTP 由 Outlook 2010 及更高版本使用。Used by Outlook 2010 and later.
移动应用和桌面客户端Mobile apps and desktop clients 勾选标记 显示用户使用移动应用和桌面客户端进行的所有登录尝试。Shows all sign-in attempts from users using mobile apps and desktop clients.
脱机通讯簿Offline Address Book 通过 Outlook 下载并使用的地址列表集合的副本。A copy of address list collections that are downloaded and used by Outlook.
Outlook Anywhere(基于 HTTP 的 RPC)Outlook Anywhere (RPC over HTTP) 由 Outlook 2016 及更低版本使用。Used by Outlook 2016 and earlier.
Outlook 服务Outlook Service 由 Windows 10 的邮件和日历应用使用。Used by the Mail and Calendar app for Windows 10.
POP3POP3 使用 POP3 检索电子邮件的旧版邮件客户端。A legacy mail client using POP3 to retrieve email.
Reporting Web ServicesReporting Web Services 用于在 Exchange Online 中检索报表数据。Used to retrieve report data in Exchange Online.
其他客户端Other clients 显示用户的所有登录尝试,客户端应用不包括在其中或未知。Shows all sign-in attempts from users where the client app is not included or unknown.

操作系统 - 在设备上运行的用于登录到租户的操作系统。Operating system - The operating system running on the device used sign-on to your tenant.

设备浏览器 - 如果连接是从浏览器发起的,则可使用此字段按浏览器名称进行筛选。Device browser - If the connection was initiated from a browser, this field enables you to filter by browser name.

相关性 ID - 活动的相关性 ID。Correlation ID - The correlation ID of the activity.

条件访问 - 已应用的条件访问规则的状态Conditional access - The status of the applied conditional access rules

  • 未应用:在登录过程中未对用户和应用程序应用任何策略。Not applied: No policy applied to the user and application during sign-in.

  • 成功:在登录过程中对用户和应用程序应用了一个或多个条件访问策略(但不一定是其他条件)。Success: One or more conditional access policies applied to the user and application (but not necessarily the other conditions) during sign-in.

  • 失败:登录满足了至少一个条件性访问策略的用户和应用程序条件,授权控件要么未满足,要么设置为阻止访问。Failure: The sign-in satisfied the user and application condition of at least one Conditional Access policy and grant controls are either not satisfied or set to block access.

下载登录活动Download sign-in activities

单击“下载” 选项即可创建包含最近 250,000 条记录的 CSV 或 JSON 文件。Click the Download option to create a CSV or JSON file of the most recent 250,000 records. 如果想要在 Azure 门户外部使用登录活动数据,请先下载登录数据Start with download the sign-ins data if you want to work with it outside the Azure portal.

下载Download

重要

可以下载的记录数受 Azure Active Directory 报告保留策略的限制。The number of records you can download is constrained by the Azure Active Directory report retention policies.

登录数据快捷方式Sign-ins data shortcuts

Azure AD 和 Azure 门户都提供登录数据的其他入口点:Azure AD and the Azure portal both provide you with additional entry points to sign-ins data:

  • 标识安全保护概述The Identity security protection overview
  • 用户Users
  • Groups
  • 企业应用程序Enterprise applications

标识安全保护中的用户登录数据Users sign-ins data in Identity security protection

“标识安全保护” 概述页上的用户登录图显示了按周汇总的登录信息。默认时间为 30 天。The user sign-in graph in the Identity security protection overview page shows weekly aggregations of sign-ins. The default for the time period is 30 days.

登录活动Sign-in activity

单击登录图中的某一天时,可以获得该天的登录活动的概览。When you click on a day in the sign-in graph, you get an overview of the sign-in activities for this day.

登录活动列表中的每一行显示以下内容:Each row in the sign-in activities list shows:

  • 登录者是谁?Who has signed in?
  • 登录的目标应用程序是哪个?What application was the target of the sign-in?
  • 登录的状态是什么?What is the status of the sign-in?
  • 登录的 MFA 状态是什么?What is the MFA status of the sign-in?

单击某个项即可获得有关登录操作的更多详情:By clicking an item, you get more details about the sign-in operation:

  • 用户 IDUser ID
  • UserUser
  • 用户名Username
  • 应用程序 IDApplication ID
  • 应用程序Application
  • 客户端Client
  • 位置Location
  • IP 地址IP address
  • DateDate
  • 需要 MFAMFA Required
  • 登录状态Sign-in status

备注

IP 地址的发布方式是,在 IP 地址和使用该地址的计算机所在的物理位置之间没有确定的连接。IP addresses are issued in such a way that there is no definitive connection between an IP address and where the computer with that address is physically located. 从中心池发布 IP 地址的移动运营商和 VPN 通常与实际使用客户端设备的位置距离很远,这会导致 IP 地址映射变得复杂。Mapping IP addresses is complicated by the fact that mobile providers and VPNs issue IP addresses from central pools that are often very far from where the client device is actually used. 目前,在 Azure AD 报告中,最好是基于跟踪、注册表数据、反向查看和其他信息将 IP 地址转换为物理位置。Currently in Azure AD reports, converting IP address to a physical location is a best effort based on traces, registry data, reverse look ups and other information.

在“用户”页中单击“活动”部分的“登录”即可完全了解所有用户登录活动。 On the Users page, you get a complete overview of all user sign-ins by clicking Sign-ins in the Activity section.

登录活动Sign-in activity

托管应用程序的使用情况Usage of managed applications

通过登录数据的以应用程序为中心的视图,可以回答如下问题:With an application-centric view of your sign-in data, you can answer questions such as:

  • 谁正在使用我的应用程序?Who is using my applications?
  • 组织中最常用的三个应用程序是哪些?What are the top three applications in your organization?
  • 我的最新应用程序的情况如何?How is my newest application doing?

此数据的入口点是组织中最常用的三个应用程序。The entry point to this data is the top three applications in your organization. 数据包含在“企业应用程序”下“概览”部分过去 30 天的报告中 。The data is contained within the last 30 days report in the Overview section under Enterprise applications.

登录活动Sign-in activity

应用使用情况图显示指定时间内最常用的三个应用程序的按周汇总的登录信息。The app-usage graphs weekly aggregations of sign-ins for your top three applications in a given time period. 默认时间为 30 天。The default for the time period is 30 days.

登录活动Sign-in activity

如果需要,可以将焦点设置在特定应用程序上。If you want to, you can set the focus on a specific application.

报告Reporting

单击应用程序使用情况图中的某一天时,可以获取登录活动的详细列表。When you click on a day in the app usage graph, you get a detailed list of the sign-in activities.

登录 选项可提供应用程序的所有登录事件的完整概览。The Sign-ins option gives you a complete overview of all sign-in events to your applications.

Office 365 活动日志Office 365 activity logs

可以从 Microsoft 365 管理中心查看 Office 365 活动日志。You can view Office 365 activity logs from the Microsoft 365 admin center. 要考虑到 Office 365 活动和 Azure AD 活动日志共享大量的目录资源。Consider the point that, Office 365 activity and Azure AD activity logs share a significant number of the directory resources. 只有 Microsoft 365 管理中心提供 Office 365 活动日志的完整视图。Only the Microsoft 365 admin center provides a full view of the Office 365 activity logs.

还可以使用 Office 365 管理 API 以编程方式访问 Office 365 活动日志。You can also access the Office 365 activity logs programmatically by using the Office 365 Management APIs.

后续步骤Next steps