• Audit Report provides the audit record for the event name, the actor who performed the action, the date and time (in UTC) when it was performed, the target resource affected by the change as well as actor, target and role details.
  • Sign-ins Events report gives full detail on all sign-ins activities performed within your tenant. You can easily check failed logins, locked account accounts target by hackers’ attack and also who is using what within your tenant in extreme detail.
    Please note that the events in the report are collapsed per minute. This means that if we receive two or more events with:
    • same user
    • same app
    • same device
    • same login status
    • same date time (YYYY-MM-DD-HH:mm)

            we collapse everything in 1 event and the last one is shown (to avoid having too many similar events from MS)

  • Sign-ins Legacy Protocols Usage report will show you those sign-ins using deprecated protocols on the tenant in order to be able to evaluate blocking legacy protocols and impacted users.
  • Sign-ins External report allows easily to visualize who performed the external access, when it happened, what content the external user has access to and from what geographic location. This report was enhanced with geo representation for location mapping searches, along with pivot point analysis from directly inside the report.
  • Sign-ins failed report shows failed sign-ins and the reasons for all users in a chosen period.
  • Monthly Sign-ins by user report shows the number of total sessions for the current month per user.
  • Monthly Sign-ins stats by app report provides information about the usage of managed applications and user sign-in activities.
  • Risky Users report will show you all the Azure AD Users who are at risk for a V-Tenant, in order to identify potential threats to my tenant and act accordingly.
  • Risk Detections: Each detected suspicious action is stored in this report. The information is useful to identify possible threats to my tenant and reduce security risk. 
  • Sign-ins from anonymous IP addresses report indicates users who have successfully signed in from an IP address that has been identified as an anonymous proxy IP address. These proxies are used by people who want to hide their device’s IP address and may be used for malicious intent.
  • Users with leaked credentials When the service acquires username/password pairs, they are checked against Azure AD users’ current valid credentials. When a match is found, it means that a user’s password has been compromised, and a leaked credentials risk event is created.
  • Sign-ins from Infected Devices identifies sign-ins from devices infected with malware. This is determined by correlating IP addresses of the user’s device against IP addresses that were in contact with a bot server.
  • Sign-ins from IP addresses with suspicious activity report shows sign-ins from IP addresses where suspicious activity has been detected. Suspicious activity, in this case, is defined to be an unusually high ratio of failed sign-ins to successful sign-ins, which may indicate that an IP address is being used for malicious purposes.
  • Sign-ins from unfamiliar locations report considers past sign-in locations to determine new/unfamiliar locations. The system stores information about previous locations used by a user and considers these “familiar” locations. The risk event is triggered when the sign-in occurs from a location that’s not already in the list of familiar locations.
  • Impossible travel to atypical locations report is useful to identify suspicious from locations that may be atypical for the user, given past behavior.
  • Sign-ins with Admin Roles displays sing-ins of users with at least one admin role

Moreover, by clicking ‘Columns’, you can add or remove information from the Audit reports. You can also export, save, print, or schedule these reports with applied changes and filters and adjust the time interval in the top right corner of the table.

The Audit Saved Report can be found in a dedicated section ‘Saved reports’ under the Audit tab.

Note: In order to see the data related to SignIn Events under Audit | Azure AD Reports you need to have at one EMS or E5 license active with Azure AD Premium Plan 2.


For more details, please check the article below: