- Article
- 08/26/2022
- 4 minutes to read
In this article, you learn how to find Azure Active Directory (Azure AD) user activity reports in the Azure portal.
Audit logs report
The audit logs report combines several reports around application activities into a single view for context-based reporting. To access the audit logs report:
Navigate to the Azure portal.
Select your directory from the top-right corner, then select the Azure Active Directory blade from the left navigation pane.
Select Audit logs from the Activity section of the Azure Active Directory blade.
The audit logs report consolidates the following reports:
- Audit report
- Password reset activity
- Password reset registration activity
- Self-service groups activity
- Office365 Group Name Changes
- Account provisioning activity
- Password rollover status
- Account provisioning errors
Filtering on audit logs
You can use advanced filtering in the audit report to access a specific category of audit data, by specifying it in the Category filter. For example, to view all activities related to users, select the UserManagement category.
Categories include:
- All
- AdministrativeUnit
- ApplicationManagement
- Authentication
- Authorization
- Contact
- Device
- DeviceConfiguration
- DirectoryManagement
- EntitlementManagement
- GroupManagement
- Other
- Policy
- ResourceManagement
- RoleManagement
- UserManagement
You can also filter on a specific service using the Service dropdown filter. For example, to get all audit events related to self-service password management, select the Self-service Password Management filter.
Services include:
- All
- Access Reviews
- Account Provisioning
- Application SSO
- Authentication Methods
- B2C
- Conditional Access
- Core Directory
- Entitlement Management
- Identity Protection
- Invited Users
- PIM
- Self-service Group Management
- Self-service Password Management
- Terms of Use
Sign-ins report
The Sign-ins view includes all user sign-ins, as well as the Application Usage report. You also can view application usage information in the Manage section of the Enterprise applications overview.
To access the sign-ins report:
Navigate to the Azure portal.
Select your directory from the top-right corner, then select the Azure Active Directory blade from the left navigation pane.
Select Signins from the Activity section of the Azure Active Directory blade.
Filtering on application name
You can use the sign-ins report to view details about application usage, by filtering on user name or application name.
Security reports
Anomalous activity reports
Anomalous activity reports provide information on security-related risk detections that Azure AD can detect and report on.
The following table lists the Azure AD anomalous activity security reports, and corresponding risk detection types in the Azure portal. For more information, see Azure Active Directory risk detections.
Users with leaked credentials | Leaked credentials |
Irregular sign-in activity | Impossible travel to atypical locations |
Sign-ins from possibly infected devices | Sign-ins from infected devices |
Sign-ins from unknown sources | Sign-ins from anonymous IP addresses |
Sign-ins from IP addresses with suspicious activity | Sign-ins from IP addresses with suspicious activity |
- | Sign-ins from unfamiliar locations |
The following Azure AD anomalous activity security reports are not included as risk detections in the Azure portal:
- Sign-ins after multiple failures
- Sign-ins from multiple geographies
Detected risk detections
You can access reports about detected risk detections in the Security section of the Azure Active Directory blade in the Azure portal. Detected risk detections are tracked in the following reports:
Users at risk
Risky sign-ins
Troubleshoot issues with activity reports
Missing data in the downloaded activity logs
Symptoms
I downloaded the activity logs (audit or sign-ins) and I don’t see all the records for the time I chose. Why?
Cause
When you download activity logs in the Azure portal, we limit the scale to 250000 records, sorted by most recent first.
Resolution
You can leverage Azure AD Reporting APIs to fetch up to a million records at any given point.
Missing audit data for recent actions in the Azure portal
Symptoms
I performed some actions in the Azure portal and expected to see the audit logs for those actions in the Activity logs > Audit Logs blade, but I can’t find them.
Cause
Actions don’t appear immediately in the activity logs. The table below enumerates our latency numbers for activity logs.
Directory audit | 2 mins | 5 mins |
Sign-in activity | 2 mins | 5 mins |
Resolution
Wait for 15 minutes to two hours and see if the actions appear in the log. If you don’t see the logs even after two hours, please file a support ticket and we will look into it.
Missing logs for recent user sign-ins in the Azure AD sign-ins activity log
Symptoms
I recently signed into the Azure portal and expected to see the sign-in logs for those actions in the Activity logs > Sign-ins blade, but I can’t find them.
Cause
Actions don’t appear immediately in the activity logs. The table below enumerates our latency numbers for activity logs.
Directory audit | 2 mins | 5 mins |
Sign-in activity | 2 mins | 5 mins |
Resolution
Wait for 15 minutes to two hours and see if the actions appear in the log. If you don’t see the logs even after two hours, please file a support ticket and we will look into it.
I can't view more than 30 days of report data in the Azure portal
Symptoms
I can't view more than 30 days of sign-in and audit data from the Azure portal. Why?
Cause
Depending on your license, Azure Active Directory Actions stores activity reports for the following durations:
Directory Audit | 7 days | 30 days | 30 days |
Sign-in Activity | Not available. You can access your own sign-ins for 7 days from the individual user profile blade | 30 days | 30 days |
For more information, see Azure Active Directory report retention policies.
Resolution
You have two options to retain the data for longer than 30 days. You can use the Azure AD Reporting APIs to retrieve the data programmatically and store it in a database. Alternatively, you can integrate audit logs into a third party SIEM system like Splunk or SumoLogic.
Next steps
- Audit logs overview
- Sign-ins overview
- Risky events overview