Microsoft Entra Sign-in Logs

Microsoft

Authentication audit trail for Entra ID (Azure AD) — every login attempt to M365 and SaaS.

Identity, Cloud & Access Commercial Platform / Suite Learning saas

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

Microsoft Entra ID (the new name for Azure Active Directory) is the identity provider behind Microsoft 365 and most SaaS-federated enterprises. Its Sign-in Logs capture every interactive, non-interactive, service principal, and managed-identity authentication attempt — along with the Conditional Access policy that allowed or blocked it, the risk level (Identity Protection), and the device / location / app context.

For a SOC, Sign-in Logs are usually the primary detection source for:

Password spraying / credential stuffing.
Impossible travel / atypical location.
MFA fatigue and prompt-bombing.
Token theft and replay (matching session IDs across IPs).

They are typically shipped to Microsoft Sentinel or a 3rd-party SIEM via the diagnostic-settings stream.

Use cases

Investigating a suspected M365 account takeover
Detecting password spray against a tenant
Conditional Access tuning based on real failure patterns

Example

// KQL — risky sign-ins blocked by Conditional Access
SigninLogs
| where ResultType != 0
| where RiskLevelDuringSignIn in ('high','medium')
| summarize attempts=count() by UserPrincipalName,
                                IPAddress,
                                ConditionalAccessStatus
| order by attempts desc