解释 Azure Monitor 中的 Azure AD 登录日志架构Interpret the Azure AD sign-in logs schema in Azure Monitor

本文介绍 Azure Monitor 中的 Azure Active Directory (Azure AD) 登录日志架构。This article describes the Azure Active Directory (Azure AD) sign-in log schema in Azure Monitor. 与登录相关的大多数信息都在 records 对象的 Properties 属性下提供。Most of the information that's related to sign-ins is provided under the Properties attribute of the records object.

{ 
    "time": "2019-03-12T16:02:15.5522137Z", 
    "resourceId": "/tenants/<TENANT ID>/providers/Microsoft.aadiam",
    "operationName": "Sign-in activity", 
    "operationVersion": "1.0", 
    "category": "SignInLogs", 
    "tenantId": "<TENANT ID>", 
    "resultType": "50140", 
    "resultSignature": "None", 
    "resultDescription": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", 
    "durationMs": 0, 
    "callerIpAddress": "<CALLER IP ADDRESS>", 
    "correlationId": "a75a10bd-c126-486b-9742-c03110d36262", 
    "identity": "Timothy Perkins", 
    "Level": 4, 
    "location": "US", 
    "properties": 
        {
            "id":"0231f922-93fa-4005-bb11-b344eca03c01",
            "createdDateTime":"2019-03-12T16:02:15.5522137+00:00",
            "userDisplayName":"Timothy Perkins",
            "userPrincipalName":"<USER PRINCIPAL NAME>",
            "userId":"<USER ID>",
            "appId":"<APPLICATION ID>",
            "appDisplayName":"Azure Portal",
            "ipAddress":"<IP ADDRESS>",
            "status":
            {
                "errorCode":50140,
                "failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."
            },
            "clientAppUsed":"Browser",
            "deviceDetail":
            {
                "operatingSystem":"Windows 10",
                "browser":"Chrome 72.0.3626"
            },
            "location":
                {
                    "city":"Bellevue",
                    "state":"Washington",
                    "countryOrRegion":"US",
                    "geoCoordinates":
                    {
                        "latitude":45,
                        "longitude":122
                    }
                },
            "correlationId":"a75a10bd-c126-486b-9742-c03110d36262",
            "conditionalAccessStatus":"notApplied",
            "appliedConditionalAccessPolicies":
            [
                {
                    "id":"ae11ffaa-9879-44e0-972c-7538fd5c4d1a",
                    "displayName":"Hr app access policy",
                    "enforcedGrantControls":
                    [
                        "Mfa"
                    ],
                    "enforcedSessionControls":
                    [
                    ],
                    "result":"notApplied"
                },
                {
                    "id":"b915a70b-2eee-47b6-85b6-ff4f4a66256d",
                    "displayName":"MFA for all but global support access",
                    "enforcedGrantControls":[],
                    "enforcedSessionControls":[],
                    "result":"notEnabled"
                },
                {
                    "id":"830f27fa-67a8-461f-8791-635b7225caf1",
                    "displayName":"Header Based Application Control",
                    "enforcedGrantControls":["Mfa"],
                    "enforcedSessionControls":[],
                    "result":"notApplied"
                },
                {
                    "id":"8ed8d7f7-0a2e-437b-b512-9e47bed562e6",
                    "displayName":"MFA for everyones",
                    "enforcedGrantControls":[],
                    "enforcedSessionControls":[],
                    "result":"notEnabled"
                },
                {
                    "id":"52924e0f-798b-4afd-8c42-49055c7d6395",
                    "displayName":"Device compliant",
                    "enforcedGrantControls":[],
                    "enforcedSessionControls":[],
                    "result":"notEnabled"
                },
             ],
            "isInteractive":true,
            "tokenIssuerType":"AzureAD",
            "authenticationProcessingDetails":[],
            "networkLocationDetails":[],
            "processingTimeInMilliseconds":0,
            "riskDetail":"hidden",
            "riskLevelAggregated":"hidden",
            "riskLevelDuringSignIn":"hidden",
            "riskState":"none",
            "riskEventTypes":[],
            "resourceDisplayName":"azure service management api",
            "resourceId":"797f4846-ba00-4fd7-ba43-dac1f8f63013",
            "authenticationMethodsUsed":[]
        }
}

字段说明Field descriptions

字段名称Field name 说明Description
时间Time 日期和时间 (UTC)。The date and time, in UTC.
ResourceIdResourceId 此值未映射,可以放心地忽略此字段。This value is unmapped, and you can safely ignore this field.
OperationNameOperationName 对于登录,此值始终为“登录活动”。For sign-ins, this value is always Sign-in activity.
OperationVersionOperationVersion 客户端请求的 REST API 版本。The REST API version that's requested by the client.
CategoryCategory 对于登录,此值始终为“登录”。For sign-ins, this value is always SignIn.
TenantIdTenantId 与日志关联的租户 GUID。The tenant GUID that's associated with the logs.
ResultTypeResultType 登录操作的结果,可以是“成功”或“失败” 。The result of the sign-in operation can be Success or Failure.
ResultSignatureResultSignature 包含登录操作的错误代码(如果有)。Contains the error code, if any, for the sign-in operation.
ResultDescriptionResultDescription 提供登录操作的错误说明。Provides the error description for the sign-in operation.
riskDetailriskDetail riskDetailriskDetail 提供特定风险用户、风险登录或风险检测状态背后的“原因”。Provides the 'reason' behind a specific state of a risky user, sign-in or a risk detection. 可能的值有:noneadminGeneratedTemporaryPassworduserPerformedSecuredPasswordChangeuserPerformedSecuredPasswordResetadminConfirmedSigninSafeaiConfirmedSigninSafeuserPassedMFADrivenByRiskBasedPolicyadminDismissedAllRiskForUseradminConfirmedSigninCompromisedunknownFutureValueThe possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, unknownFutureValue. none 表示到目前为止尚未对用户或登录执行任何操作。The value none means that no action has been performed on the user or sign-in so far.
注意: 此属性的详细信息需要 Azure AD Premium P2 许可证。Note: Details for this property require an Azure AD Premium P2 license. 其他许可证返回值 hiddenOther licenses return the value hidden.
riskEventTypesriskEventTypes riskEventTypesriskEventTypes 与登录相关的风险检测类型。Risk detection types associated with the sign-in. 可能的值有:unlikelyTravelanonymizedIPAddressmaliciousIPAddressunfamiliarFeaturesmalwareInfectedIPAddresssuspiciousIPAddressleakedCredentialsinvestigationsThreatIntelligencegenericunknownFutureValueThe possible values are: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, and unknownFutureValue.
riskLevelAggregatedriskLevelAggregated riskLevelriskLevel 聚合风险级别。Aggregated risk level. 可能的值有:nonelowmediumhighhiddenunknownFutureValueThe possible values are: none, low, medium, high, hidden, and unknownFutureValue. hidden 表示用户或登录未启用 Azure AD 标识保护。The value hidden means the user or sign-in was not enabled for Azure AD Identity Protection. 注意: 此属性的详细信息仅适用于 Azure AD Premium P2 客户。Note: Details for this property are only available for Azure AD Premium P2 customers. 所有其他客户将返回 hiddenAll other customers will be returned hidden.
riskLevelDuringSignInriskLevelDuringSignIn riskLevelriskLevel 登录过程中的风险级别。Risk level during sign-in. 可能的值有:nonelowmediumhighhiddenunknownFutureValueThe possible values are: none, low, medium, high, hidden, and unknownFutureValue. hidden 表示用户或登录未启用 Azure AD 标识保护。The value hidden means the user or sign-in was not enabled for Azure AD Identity Protection. 注意: 此属性的详细信息仅适用于 Azure AD Premium P2 客户。Note: Details for this property are only available for Azure AD Premium P2 customers. 所有其他客户将返回 hiddenAll other customers will be returned hidden.
riskStateriskState riskStateriskState 风险用户、风险登录或风险检测的报告状态。Reports status of the risky user, sign-in, or a risk detection. 可能的值有:noneconfirmedSaferemediateddismissedatRiskconfirmedCompromisedunknownFutureValueThe possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue.
DurationMsDurationMs 此值未映射,可以放心地忽略此字段。This value is unmapped, and you can safely ignore this field.
CallerIpAddressCallerIpAddress 发出请求的客户端的 IP 地址。The IP address of the client that made the request.
CorrelationIdCorrelationId 客户端所传递的可选 GUID。The optional GUID that's passed by the client. 此值可帮助将客户端操作与服务器端操作关联,并且在跟踪跨服务的日志时非常有用。This value can help correlate client-side operations with server-side operations, and it's useful when you're tracking logs that span services.
标识Identity 发出请求时提供的令牌中的标识。The identity from the token that was presented when you made the request. 可以是用户帐户、系统帐户或服务主体。It can be a user account, system account, or service principal.
LevelLevel 提供消息的类型。Provides the type of message. 对于审核,它始终是“信息”。For audit, it's always Informational.
位置Location 提供登录活动的位置。Provides the location of the sign-in activity.
属性Properties 列出与登录关联的所有属性。有关详细信息,请参阅 Microsoft Graph API 参考Lists all the properties that are associated with sign-ins. For more information, see Microsoft Graph API Reference. 为提高可读性,此架构使用登录资源中的相同属性名。This schema uses the same attribute names as the sign-in resource, for readability.

后续步骤Next steps