Driving transparency: New logging capabilities and attribute enhancements in Microsoft Entra

At Microsoft Security, our commitment to transparency shapes every step we take toward providing customers with better insights. Today, we're excited to announce several enhancements to the logging capabilities of Microsoft Entra, making sign-in activity more comprehensive, actionable, and accessible.

Representing agents in Microsoft Entra sign-in logs

Alex Simons recently announced Microsoft Entra Agent ID, a powerful new unified solution that brings together all agent identities created across Microsoft Copilot Studio and Azure AI Foundry. Over the next six months, we’re expanding support to include agents from Security Copilot, Microsoft 365 Copilot, and even third-party solutions. This commitment ensures a truly seamless and unified experience for IT teams everywhere.

One big question we’ve heard from admins is, “How can I get visibility into what resources these agents are accessing?” The agentSignIn resource in the MSGraph API and the "is Agent" UX filter in Microsoft Entra let IT admins quickly view details about agents in authentication logs and filter sign-in events to those done by agents only. This brings both clarity and control, making it quicker and easier to monitor agent activity with your organization’s resources.

Entra sign-in logs UX “is Agent” filter.

Introducing Microsoft service principal sign-in logs

We’ve introduced the “MicrosoftServicePrincipalSignInLogs” stream now in Public Preview. This log stream records token requests when Microsoft services applications authenticate with each other within a tenant, such as Microsoft teams authenticating to word when a user opens a document within the application. These applications are secured by Microsoft Security and do not require action from customers; however, we are providing this data as an optional add-on for transparency.

New and improved sign-in log attributes aligned to real-world security needs

We are consistently improving the comprehensiveness of our sign-in logs to provide organizations with more in-depth and actionable insights. The following attributes are now available to all customers:

• AppOwnerTenantId: Identifies the tenant that owns the application involved in the sign-in. This is essential for managing cross-tenant access scenarios.
• ResourceOwnerTenantId: Indicates the tenant that owns the resource being accessed, aiding in cross-tenant activity monitoring.
• SessionID: Provides a unique identifier for each user sign-in session, supporting the broader initiative to add linkable identifiers across Microsoft logging streams.
• SourceAppClientID: Helps admins detect and investigate impersonation attempts involving federated identity credentials. This attribute allows tracing such scenarios back to the original source application.
• Entra TenantID in Log Analytics: Includes the originating Entra TenantID in all sign-in and audit Log Analytics schemas. This improvement is especially valuable for organizations with multiple tenants, simplifying activity correlation by tenant.
• UserAgent in Service Principal Sign-In: Adds the UserAgent string for service principal sign-ins, providing security teams with an additional signal for tracking and identifying potential threat actors, similar to what’s already available for user sign-in logs.
• Autonomous System Number (ASN) in service principal sign-in logs: This attribute offers deeper visibility into the origins of internet traffic. Organizations can leverage ASN data to enhance threat detection and create custom rules targeting known, malicious ASN ranges.
  
  

These enhancements reflect our commitment to providing a more transparent and robust foundation for threat detection, investigation, and compliance. Your feedback continues to guide us as we prioritize and deliver these improvements.

-Shobit Sahay

Read more on this topic

• Sign-in logs in Microsoft Entra ID
• Learn about the audit logs in Microsoft Entra ID
• Learn about the monitoring and health activity log schemas

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

• ⁠Microsoft Entra News and Insights | Microsoft Security Blog
• ⁠⁠Microsoft Entra blog | Tech Community
• ⁠Microsoft Entra documentation | Microsoft Learn
• Microsoft Entra discussions | Microsoft Community