O365 Admin

How to Audit Sign-In Logs in Entra ID

Published 11 November 2025 · 7 min read

Entra ID sign-in logs record every authentication attempt across your tenant. Knowing how to read and filter these logs is essential for investigating account compromises, diagnosing MFA issues, and understanding how Conditional Access policies are being applied.

Contents

Where to find sign-in logs
Log types
Filtering effectively
Key columns to read
Investigating suspicious sign-ins
Exporting logs

Where to find sign-in logs

Entra ID portal → Monitoring & health → Sign-in logs

Logs are retained for 30 days for Entra ID P1/P2 and 7 days for free. Stream to Log Analytics for longer retention.

Log types

📊

Sign-in log types

Interactive user sign-insShows app access, MFA results, CA policy outcomes

User actively signed in

Non-interactive user sign-insUseful for investigating token replay attacks

Refresh tokens and silent auth

Service principal sign-insFor investigating app permission issues

App-to-app authentication

Filtering effectively

🔍

Useful sign-in log filters

UserStart here when investigating a user report

Filter to a specific UPN

StatusInterrupted = MFA required but not completed

Failed, Success, Interrupted

IP address

Specific IP

Conditional AccessFilter CA failures to diagnose policy issues

Failure, Not applied, Success

Client appUse to find legacy auth attempts

Browser, Mobile apps, Exchange ActiveSync

Key columns to read

Status - Success/Failure and the failure reason code (e.g. 50126 = bad password)
IP address - Where the sign-in came from
Conditional Access - Which CA policies applied and whether they passed
Client app - What client was used - legacy auth shows here
MFA result - Whether MFA was required and whether it passed

Investigating suspicious sign-ins

Filter sign-in logs to that user in the relevant timeframe
Look for successful sign-ins from unexpected IPs or countries
Check whether MFA was completed
Check the CA policy column
Look for impossible travel
Check Entra ID Identity Protection → Risky users

Exporting logs

Entra ID → Monitoring → Diagnostic settings → + Add diagnostic setting

Stream to a Log Analytics workspace for Sentinel integration, or to Storage for long-term archival.

Frequently Asked Questions

Q: How long are Entra ID sign-in logs retained?

30 days for P1/P2, 7 days for free. Configure Diagnostic Settings to stream to Log Analytics for longer retention.

Q: How do I find failed MFA attempts?

Filter Status to Failed and look for error code 50074 (MFA required, not completed) or 50076 (MFA required by CA policy).

Q: What does Interrupted status mean?

Interrupted means the sign-in started but was not completed - MFA was required but the user closed the browser, or a CA policy redirected to terms of use.

Related Guides

-> Conditional Access -> Set Up PIM -> Why MFA Matters

// need intune set up properly?

Fixed-price Intune setup for UK businesses

App deployment, compliance policies, Conditional Access, and full documentation at a fixed price.

View Packages