Azure AD Logs
Azure Active Directory has three different activity log types which each contain different sets of information. All of the logs are available through the Azure Active Directory portal.
- Sign-ins – Information about sign-ins and how your resources are used by your users.
- Audit – Information about changes applied to your tenant such as users and group management or updates applied to your tenant’s resources.
- Provisioning – Activities performed by the provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.
Log retention and availability
Logs are available for 30 days inside the Azure AD with a Premium subscription (P1 or P2) https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention
Permission requirements for accessing Azure AD logs
To access Azure AD logs, you need to be one of the following:
-
A global administrator
-
A user in one of the following roles:
- Security administrator
- Security reader
- Global reader
- Report reader
Downloading logs
All logs needed are available in the Azure portal. Once in the Azure portal, go to the Azure Active Directory menu, from there you can open the logs in the Monitoring section.
-
Reference: How to download logs
Sign-in logs
The following steps will walk you through downloading the Sign-in logs. For more details, please refer to Microsoft’s Documentation on Sign-in Logs.
-
Reference: Sign-in Logs
Steps for downloading sign-in logs
-
Go to URL
-
Select date range
-
Click on Date and enter a date range that covers 30 days and click Apply
-
-
Download CSV
-
Click on Download and then Download CSV
-
-
Download each of the files and save them to a folder on your computer. These are the files that will be shared with Oort.
Audit logs
The following steps will walk you through downloading the Audit logs. For more details, please refer to Microsoft’s Documentation on Audit Logs.
-
Reference: Audit Logs
Steps for downloading audit logs
-
Go to URL
-
Select date range
-
Click on Date and enter a date range that covers 30 days and click Apply
-
-
Download CSV
-
Click on Download
-
-
Download the files and save to a folder on your computer. This file will be shared with Oort.
Provisioning logs
The following steps will walk you through downloading the Provisioning logs. For more details, please refer to Microsoft’s Documentation on Provisioning Logs.
-
Reference: Provisioning Logs
Steps for downloading provisioning logs
-
Go to URL
-
Select date range
-
Click on Date and enter a date range that covers 30 days and click Apply
-
-
Download CSV
-
Click on Download and then Download CSV
-
-
Download each of the files and save to a folder on your computer. These are the files that will be shared with Oort.