Azure AD Logs

Azure Active Directory has three different activity log types which each contain different sets of information. All of the logs are available through the Azure Active Directory portal.

  • Sign-ins – Information about sign-ins and how your resources are used by your users.
  • Audit – Information about changes applied to your tenant such as users and group management or updates applied to your tenant’s resources.
  • Provisioning – Activities performed by the provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.

Log retention and availability

Logs are available for 30 days inside the Azure AD with a Premium subscription (P1 or P2) https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention

Permission requirements for accessing Azure AD logs

To access Azure AD logs, you need to be one of the following:

  • A global administrator

  • A user in one of the following roles:

    • Security administrator
    • Security reader
    • Global reader
    • Report reader

Downloading logs

All logs needed are available in the Azure portal. Once in the Azure portal, go to the Azure Active Directory menu, from there you can open the logs in the Monitoring section.

Sign-in logs

The following steps will walk you through downloading the Sign-in logs. For more details, please refer to Microsoft’s Documentation on Sign-in Logs.

Steps for downloading sign-in logs

Audit logs

The following steps will walk you through downloading the Audit logs. For more details, please refer to Microsoft’s Documentation on Audit Logs.

Steps for downloading audit logs

Provisioning logs

The following steps will walk you through downloading the Provisioning logs. For more details, please refer to Microsoft’s Documentation on Provisioning Logs.

Steps for downloading provisioning logs