This post provides you an overview of the Sign-in Activity Reports in Intune portal (a.k.a Endpoint Manager portal). The sign-ins report provides information about the usage of managed applications and user sign-in activities. The classic sign-ins report in Azure Active Directory provides you with an overview of interactive user sign-ins. Also, you now have access to three additional sign-in reports that are now in preview:
- Non-interactive user sign-ins
- Service principal sign-ins
- Managed identities for Azure resource sign-ins
The sign-ins report helps you to the determine following:
- What is the sign-in pattern of a user, application, or service?
- How many users, apps, or services have signed in over a week?
- What’s the status of these sign-ins?
Prerequisites
- Users in the Security Administrator, Security Reader, Global Reader, and Report Reader roles
- Global Administrators
- Any user (non-admins) can access their own sign-ins
- Your tenant must have an Azure AD Premium license associated with it to see sign-in activities.
Sign-in Activity Reports in Intune Portal
- To access the new sign-in activity reports In the Azure portal, select Azure Active Directory. In the Monitoring section, click Sign-ins. OR sign in to the Microsoft Endpoint Manager admin center.
- Select Users, click Sign-ins.
- The sign-ins activity report provides you with a simple method to switch the preview report on and off. If you have the preview reports not enabled, You can click on the toolbar to get a new menu that gives you access to all sign-in activity report types.
In the sign-ins report blade, you can switch between:
- Interactive user sign-ins – Sign-ins where a user provides an authentication factor, such as a password, a response through an MFA app, a biometric factor, or a QR code.
- Non-interactive user sign-ins – Sign-ins performed by a client on behalf of a user. These sign-ins don’t require any interaction or authentication factor from the user. For example, authentication and authorization using refresh and access tokens don’t require a user to enter credentials.
- Service principal sign-ins – Sign-ins by apps and service principals that do not involve any user. In these sign-ins, the app or service provides a credential on its own behalf to authenticate or access resources.
- Managed identities for Azure resources sign-ins – Sign-ins by Azure resources that have secrets managed by Azure.
A sign-ins log has a default list view that shows:
- The sign-in date
- The related user
- The application the user has signed in to
- The sign-in status
- The status of the risk detection
- The status of the multi-factor authentication (MFA) requirement
Note – It may take up to two hours for some sign-in records to show up in the portal.
- Select an item in the list view to get more detailed information about the related sign-in as shown below –
- You can customize the list view by clicking Columns in the toolbar. The Columns dialog gives you access to the selectable attributes. In a sign-in report, you can’t have fields that have more than one value for a given sign-in request as a column.
You can filter the User sign-ins report on the following fields:
- Request ID – The ID of the request you care about.
- User – The name or the user principal name (UPN) of the user you care about.
- Application – The name of the target application.
- Status – The sign-in status you care about:
- Success
- Failure
- Interrupted
- IP address – The IP address of the device used to connect to your tenant.
- Location – The location from where the connection is initiated:
- City
- State / Province
- Country/Region
- Resource – The name of the service used for the sign-in.
- Resource ID – The ID of the service used for the sign-in.
- Client app – The type of the client app used to connect to your tenant:
- Operating system – The operating system running on the device used sign-on to your tenant.
- Device browser – If the connection is initiated from a browser, this field enables you to filter by browser name.
- Correlation ID – The correlation ID of the activity.
- Conditional access – The status of the applied conditional access rules
- Not applied: No policy applied to the user and application during sign-in.
- Success: One or more conditional access policies applied to the user and application (but not necessarily the other conditions) during sign-in.
- Failure: The sign-in satisfied the user and application condition of at least one Conditional Access policy, and grant controls are either not satisfied or set to block access.
- The Date range filter enables to you to define a timeframe for the returned data.
- 1 month
- 7 days
- 24 hours
- Custom
- To see the activities performed by specific user, Click on Add filters and select User, click on Apply. For Example – Here we have typed the User “Jitesh” in filter tab to see his activities.
- Click the Download option to create a CSV or JSON file of the most recent 100,000 records.
- Each JSON download consists of four different files:
- Interactive sign-ins (includes auth details)
- Non-interactive sign-ins (includes auth details)
- Service principal sign-ins
- Managed identity for Azure resources sign-ins
- Each CSV download consists of six different files:
- Interactive sign-ins
- Auth details of the interactive sign-ins
- Non-interactive sign-ins
- Auth details of the non-interactive sign-ins
- Service principal sign-ins
- Managed identity for Azure resources sign-ins
Resources
- Azure Active Directory sign-in activity reports – preview
- Antivirus Agent Status Intune Report | Endpoint Manager
- Intune Co-Management Workloads Report | Endpoint Manager
- Windows 10 Feature Update Intune Report | Endpoint Manager
- How to Use Group Policy Analytics in Intune Portal | Endpoint Manager
- Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
- How to Check Intune Service Release Version | Endpoint Manager
- How to Export All Devices Data from Intune Portal | Endpoint Manager