Show
In this article, you learn how to find Azure Active Directory (Azure AD) user activity reports in the Azure portal. Audit logs reportThe audit logs report combines several reports around application activities into a single view for context-based reporting. To access the audit logs report:
The audit logs report consolidates the following reports:
Filtering on audit logsYou can use advanced filtering in the audit report to access a specific category of audit data, by specifying it in the Category filter. For example, to view all activities related to users, select the UserManagement category. Categories include:
You can also filter on a specific service using the Service dropdown filter. For example, to get all audit events related to self-service password management, select the Self-service Password Management filter. Services include:
Sign-ins reportThe Sign-ins view includes all user sign-ins, as well as the Application Usage report. You also can view application usage information in the Manage section of the Enterprise applications overview. To access the sign-ins report:
Filtering on application nameYou can use the sign-ins report to view details about application usage, by filtering on user name or application name. Security reportsAnomalous activity reportsAnomalous activity reports provide information on security-related risk detections that Azure AD can detect and report on. The following table lists the Azure AD anomalous activity security reports, and corresponding risk detection types in the Azure portal. For more information, see Azure Active Directory risk detections.
The following Azure AD anomalous activity security reports are not included as risk detections in the Azure portal:
Detected risk detectionsYou can access reports about detected risk detections in the Security section of the Azure Active Directory blade in the Azure portal. Detected risk detections are tracked in the following reports:
Troubleshoot issues with activity reportsMissing data in the downloaded activity logsSymptomsI downloaded the activity logs (audit or sign-ins) and I don’t see all the records for the time I chose. Why? CauseWhen you download activity logs in the Azure portal, we limit the scale to 250000 records, sorted by most recent first. ResolutionYou can leverage Azure AD Reporting APIs to fetch up to a million records at any given point. Missing audit data for recent actions in the Azure portalSymptomsI performed some actions in the Azure portal and expected to see the audit logs for those actions in the Activity logs > Audit Logs blade, but I can’t find them. CauseActions don’t appear immediately in the activity logs. The table below enumerates our latency numbers for activity logs.
ResolutionWait for 15 minutes to two hours and see if the actions appear in the log. If you don’t see the logs even after two hours, please file a support ticket and we will look into it. Missing logs for recent user sign-ins in the Azure AD sign-ins activity logSymptomsI recently signed into the Azure portal and expected to see the sign-in logs for those actions in the Activity logs > Sign-ins blade, but I can’t find them. CauseActions don’t appear immediately in the activity logs. The table below enumerates our latency numbers for activity logs.
ResolutionWait for 15 minutes to two hours and see if the actions appear in the log. If you don’t see the logs even after two hours, please file a support ticket and we will look into it. I can't view more than 30 days of report data in the Azure portalSymptomsI can't view more than 30 days of sign-in and audit data from the Azure portal. Why? CauseDepending on your license, Azure Active Directory Actions stores activity reports for the following durations:
For more information, see Azure Active Directory report retention policies. ResolutionYou have two options to retain the data for longer than 30 days. You can use the Azure AD Reporting APIs to retrieve the data programmatically and store it in a database. Alternatively, you can integrate audit logs into a third party SIEM system like Splunk or SumoLogic. Next steps
|