Vendors Microsoft Corporation Azure Active Directory Azure AD Sign-in Logs

Azure AD Sign-in Logs

User authentication and access events

Azure Active Directory sign-in logs capturing user authentication events with detailed device, location, and security context

azure-ad authentication signin identity mfa conditional-access audit

JSON Format 22 Fields High Frequency Generator

Preview Sample View Schema

Overview

Comprehensive authentication logs from Azure Active Directory capturing user sign-in events, multi-factor authentication, conditional access policy evaluation, and device compliance status. Essential for security monitoring and compliance reporting.

When Generated:

Every time a user signs into any Azure AD connected application
During multi-factor authentication challenges
When conditional access policies are evaluated
During password changes and user registration events
For both interactive and non-interactive authentication

Security Relevance:

High

Compliance:

SOC 2 GDPR HIPAA PCI DSS NIST Cybersecurity Framework ISO 27001 FedRAMP

Frequency Notes:

Very high frequency in enterprise environments (1200+ events/hour baseline). Peak activity during business hours with 3x multiplier. Reduced activity nights/weekends but never zero due to automated services and global workforce.

Resources

Documentation

Azure Active Directory Sign-in Logs official
Azure Monitor Activity Log Schema official
Conditional Access Documentation official
Azure AD Risk Detections official

Tools

Azure Portal - Azure Active Directory
Web interface for viewing and managing Azure AD sign-in logs and security reports
Microsoft Graph API
Programmatic access to Azure AD sign-in logs and security data
Azure Monitor Log Analytics
Advanced querying and analysis platform for Azure AD logs using KQL
Microsoft Sentinel
SIEM solution with built-in Azure AD analytics and threat detection

Generation Configuration

Base Frequency: 1200 events/hour

Time Patterns:

business_hours night_hours weekend

Business Hours Multiplier: 3.0x

Night Hours Multiplier: 0.3x

Weekend Multiplier: 0.5x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example	Possible Values
Level Source: random_int(1, 4)	Integer	Required	—	Log level severity (1=Critical, 2=Error, 3=Warning, 4=Information)	`4`	`1` — Critical events `2` — Error events `3` — Warning events `4` — Informational events
callerIpAddress Source: random_public_ip()	String	Required	`IPv4 or IPv6`	Public IP address from which the authentication request originated	`203.0.113.42`	—
category Source: Random from predefined categories	String	Required	—	Category of the Azure AD log entry	`SignInLogs`	`SignInLogs` — User sign-in activities `AuditLogs` — Administrative and configuration changes `RiskyUsers` — Users identified as potentially compromised `UserRiskEvents` — Risk detection events for users `ApplicationSignInSummary` — Aggregated application sign-in data
correlationId Source: random_guid()	String	Required	`UUID`	Unique identifier for correlating related events across services	`a1b2c3d4-e5f6-7890-abcd-ef1234567890`	—
durationMs Source: random_int(100, 5000)	String	Required	—	Duration of the authentication process in milliseconds	`1250`	—
identity Source: registry.get_random_user().username	String	Required	—	Username of the authenticating user	`john.doe`	—
location Source: Random from location data	String	Required	—	ISO country code where the authentication originated	`US`	—
operationName Source: Random from operation types	String	Required	—	Type of authentication operation performed	`Sign-in activity`	`Sign-in activity` — Standard user authentication `Password change` — User password modification `User registration` — New user account creation `MFA authentication` — Multi-factor authentication challenge `Conditional access evaluation` — Policy evaluation during authentication `Token refresh` — Authentication token renewal
operationVersion Source: Fixed value	String	Required	—	Version of the operation schema	`1.0`	—
properties Source: Complex nested object with multiple authentication details	Object	Required	—	Comprehensive object containing detailed authentication context and metadata	`{"appDisplayName": "Microsoft Teams", "authenticationMethod": "Password"}`	—
properties.appDisplayName Source: Random from comprehensive application list	String	Required	—	Human-readable name of the application being accessed	`Microsoft Teams`	—
properties.authenticationDetails Source: Array with primary and optional secondary authentication steps	Array	Required	—	Detailed breakdown of each authentication step performed	`[{"authenticationMethod": "Password", "succeeded": "true"}]`	—
properties.deviceDetail Source: Device registry data with compliance and management status	Object	Required	—	Information about the device used for authentication	`{"operatingSystem": "Windows", "isCompliant": true}`	—
properties.location Source: Structured location data with coordinates	Object	Required	—	Geographical location details derived from IP address	`{"city": "Seattle", "countryOrRegion": "US", "state": "Washington"}`	—
properties.conditionalAccessStatus Source: Random from conditional access results	String	Required	—	Result of conditional access policy evaluation	`success`	`success` — All applicable policies were satisfied `failure` — One or more policies were not satisfied `notApplied` — No conditional access policies applied `unknownFutureValue` — Reserved for future use
properties.riskLevelAggregated Source: Random from risk levels	String	Required	—	Overall risk level assessment for the sign-in	`low`	`none` — No risk detected `low` — Low risk indicators present `medium` — Medium risk indicators detected `high` — High risk indicators detected
properties.status Source: Status object with error codes and descriptions	Object	Required	—	Authentication result status and error details	`{"errorCode": "0", "additionalDetails": "Authentication successful"}`	—
properties.userPrincipalName Source: User email from registry or constructed UPN	String	Required	`Email address format`	Full user principal name (UPN) of the authenticating user	`john.doe@contoso.com`	—
resourceId Source: Constructed Azure resource path with tenant ID	String	Required	—	Azure resource identifier for the tenant and AAD service	`/tenants/12345678-1234-1234-1234-123456789012/providers/Microsoft.aadiam`	—
resultSignature Source: Random from result types	String	Required	—	High-level result classification	`Success`	`None` — No specific result classification `Success` — Authentication succeeded `Failure` — Authentication failed
resultType Source: Random from common Azure AD error codes	String	Required	—	Numeric result code indicating authentication outcome	`0`	`0` — Success `50126` — Invalid username or password `50140` — Interrupt required for sign-in `50074` — Strong authentication required `50076` — Strong authentication required (location)
tenantId Source: random_guid()	String	Required	`UUID`	Azure AD tenant identifier	`12345678-1234-1234-1234-123456789012`	—

Details

Fields

High

Frequency

Feedback

No ratings yet