解释 Azure Monitor 中的 Azure AD 登录日志架构

本文介绍 Azure Monitor 中的 Azure Active Directory (Azure AD) 登录日志架构。 与登录相关的大部分信息在 对象的 Properties 属性下 提供。

{
  "time": "2019-03-12T16:02:15.5522137Z",
  "resourceId": "/tenants/<TENANT ID>/providers/Microsoft.aadiam",
  "operationName": "Sign-in activity",
  "operationVersion": "1.0",
  "category": "SignInLogs",
  "tenantId": "<TENANT ID>",
  "resultType": "50140",
  "resultSignature": "None",
  "resultDescription": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.",
  "durationMs": 0,
  "callerIpAddress": "<CALLER IP ADDRESS>",
  "correlationId": "a75a10bd-c126-486b-9742-c03110d36262",
  "identity": "Timothy Perkins",
  "Level": 4,
  "location": "US",
  "properties": 
       {
    "id": "0231f922-93fa-4005-bb11-b344eca03c01",
    "createdDateTime": "2019-03-12T16:02:15.5522137+00:00",
    "userDisplayName": "Timothy Perkins",
    "userPrincipalName": "<USER PRINCIPAL NAME>",
    "userId": "<USER ID>",
    "appId": "<APPLICATION ID>",
    "appDisplayName": "Azure Portal",
    "ipAddress": "<IP ADDRESS>",
    "status": {
      "errorCode": 50140,
      "failureReason": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."
    },
    "clientAppUsed": "Browser",
    "userAgent": "<USER AGENT>",
    "deviceDetail":
   {
     "deviceId": "8bfcb982-6856-4402-924c-ada2486321cc",
     "operatingSystem": "Windows 10",
     "browser": "Chrome 72.0.3626"
     },
    "location":
    {
      "city": "Bellevue",
      "state": "Washington",
      "countryOrRegion": "US",
      "geoCoordinates": 
     {
        "latitude": 45,
        "longitude": 122
      }
    },
    "correlationId": "a75a10bd-c126-486b-9742-c03110d36262",
    "conditionalAccessStatus": "notApplied",
    "appliedConditionalAccessPolicies": [
      {
        "id": "ae11ffaa-9879-44e0-972c-7538fd5c4d1a",
        "displayName": "HR app access policy",
        "enforcedGrantControls": [
          "Mfa"
        ],
        "enforcedSessionControls": [],
        "result": "notApplied",
        "conditionsSatisfied": 0,
        "conditionsNotSatisfied": 0
      },
      {
        "id": "b915a70b-2eee-47b6-85b6-ff4f4a66256d",
        "displayName": "MFA for all but global support access",
        "enforcedGrantControls": [],
        "enforcedSessionControls": [],
        "result": "notEnabled",
        "conditionsSatisfied": 0,
        "conditionsNotSatisfied": 0
      },
      {
        "id": "830f27fa-67a8-461f-8791-635b7225caf1",
        "displayName": "Header Based Application Control",
        "enforcedGrantControls": [
          "Mfa"
        ],
        "enforcedSessionControls": [],
        "result": "notApplied",
        "conditionsSatisfied": 0,
        "conditionsNotSatisfied": 0
      },
      {
        "id": "8ed8d7f7-0a2e-437b-b512-9e47bed562e6",
        "displayName": "MFA for everyones",
        "enforcedGrantControls": [],
        "enforcedSessionControls": [],
        "result": "notEnabled",
        "conditionsSatisfied": 0,
        "conditionsNotSatisfied": 0
      },
      {
        "id": "52924e0f-798b-4afd-8c42-49055c7d6395",
        "displayName": "Device compliant",
        "enforcedGrantControls": [],
        "enforcedSessionControls": [],
        "result": "notEnabled",
        "conditionsSatisfied": 0,
        "conditionsNotSatisfied": 0
      }
    ],
    "originalRequestId": "f2f0a254-f831-43b9-bcb0-2646fb645c00",
    "isInteractive": true,
    "authenticationProcessingDetails": [
      {
        "key": "Login Hint Present",
        "value": "True"
      }
    ],
    "networkLocationDetails": [],
    "processingTimeInMilliseconds": 238,
    "riskDetail": "none",
    "riskLevelAggregated": "none",
    "riskLevelDuringSignIn": "none",
    "riskState": "none",
    "riskEventTypes": [],
    "riskEventTypes_v2": [],
    "resourceDisplayName": "Office 365 SharePoint Online",
    "resourceId": "00000003-0000-0ff1-ce00-000000000000",
    "resourceTenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
    "homeTenantId": "<USER HOME TENANT ID>",
    "tokenIssuerName": "",
    "tokenIssuerType": "AzureAD",
    "authenticationDetails": [
      {
        "authenticationStepDateTime": "2019-03-12T16:02:15.5522137+00:00",
        "authenticationMethod": "Previously satisfied",
        "succeeded": true,
        "authenticationStepResultDetail": "First factor requirement satisfied by claim in the token",
        "authenticationStepRequirement": "Primary authentication",
        "StatusSequence": 0,
        "RequestSequence": 0
      },
      {
        "authenticationStepDateTime": "2021-08-12T15:48:12.8677211+00:00",
        "authenticationMethod": "Previously satisfied",
        "succeeded": true,
        "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token",
        "authenticationStepRequirement": "Multi-factor authentication"
      }
    ],
    "authenticationRequirementPolicies": [
      {
        "requirementProvider": "multiConditionalAccess",
        "detail": "Conditional Access"
      }
    ],
    "authenticationRequirement": "multiFactorAuthentication",
    "alternateSignInName": "<ALTERNATE SIGN IN>",
    "signInIdentifier": "<SIGN IN IDENTIFIER>",
    "servicePrincipalId": "",
    "userType": "Member",
    "flaggedForReview": false,
    "isTenantRestricted": false,
    "autonomousSystemNumber": 8000,
    "crossTenantAccessType": "none",
    "privateLinkDetails": {},
    "ssoExtensionVersion": ""
    }
}

字段说明

字段名称 密钥 说明
时间 - 日期和时间 (UTC)。
ResourceId - 此值未映射,可以放心地忽略此字段。
OperationName - 对于登录,此值始终为“登录活动”。
OperationVersion - 客户端请求的 REST API 版本。
Category - 对于登录,此值始终为“登录”。
TenantId - 与日志关联的租户 GUID。
ResultType - 登录操作的结果可能是成功 0 或错误 0 失败。
ResultSignature - 此值始终为 None。
ResultDescription 空值或空白 提供登录操作的错误说明。
riskDetail riskDetail 提供特定风险用户、风险登录或风险检测状态背后的“原因”。 可能的值有:noneadminGeneratedTemporaryPassworduserPerformedSecuredPasswordChangeuserPerformedSecuredPasswordResetadminConfirmedSigninSafeaiConfirmedSigninSafeuserPassedMFADrivenByRiskBasedPolicyadminDismissedAllRiskForUseradminConfirmedSigninCompromisedunknownFutureValue。 值 none 表示到目前为止尚未对用户或登录执行任何操作。
注意: 此属性的详细信息需要 Azure AD Premium P2 许可证。 其他许可证返回值 hidden
riskEventTypes riskEventTypes 与登录相关的风险检测类型。 可能的值为 unlikelyTravelanonymizedIPAddress :、、、、、、、、、 maliciousIPAddressunfamiliarFeaturesmalwareInfectedIPAddresssuspiciousIPAddressleakedCredentialsinvestigationsThreatIntelligencegenericunknownFutureValue
authProcessingDetails Azure AD 应用身份验证库 包含系列、库和平台信息,格式为:“Family: ADAL Library: ADAL.JS 1.0.0 Platform: JS”
authProcessingDetails IsCAEToken 值为 True 或 False
riskLevelAggregated riskLevel 聚合风险级别。 可能的值有:nonelowmediumhighhiddenunknownFutureValue。 值 hidden 表示用户或登录未启用 Azure AD 标识保护。 注意: 此属性的详细信息仅适用于 Azure AD Premium P2 客户。 所有其他客户将返回 hidden
riskLevelDuringSignIn riskLevel 登录过程中的风险级别。 可能的值有:nonelowmediumhighhiddenunknownFutureValue。 值 hidden 表示用户或登录未启用 Azure AD 标识保护。 注意: 此属性的详细信息仅适用于 Azure AD Premium P2 客户。 所有其他客户将返回 hidden
riskState riskState 风险用户、风险登录或风险检测的报告状态。 可能的值有:noneconfirmedSaferemediateddismissedatRiskconfirmedCompromisedunknownFutureValue
DurationMs - 此值未映射,可以放心地忽略此字段。
CallerIpAddress - 发出请求的客户端的 IP 地址。
CorrelationId - 客户端所传递的可选 GUID。 此值可帮助将客户端操作与服务器端操作关联,并且在跟踪跨服务的日志时非常有用。
标识 - 发出请求时提供的令牌中的标识。 可以是用户帐户、系统帐户或服务主体。
Level - 提供消息的类型。 对于审核,它始终是“信息”。
位置 - 提供登录活动的位置。
属性 - 列出与登录关联的所有属性。

后续步骤