Forum Discussion

Tony Oscar's avatar
Tony Oscar
Copper Contributor
Jul 05, 2019

UserLoggedIn events not found in Azure Audit log for about a week

When I search for UserLoggedIn events in my Office 365 Tenant, I'm unable to find any audit records for the last 7 days. Whereas all our users have been logging in and out. I've tested one of our test tenants as well and found it missing as well. Anyone facing this?

2 Replies

  • ankit shukla's avatar
    ankit shukla
    Iron Contributor

    Tony Oscar  UserLoggedin events have been problematic and is still in a stage where it cant be called reliable.

     

    Best is to use Azure AD Login reports from AAD. you may additionally use PowerShell to fetch this - 

    https://gallery.technet.microsoft.com/scriptcenter/Pull-Azure-AD-Audit-Report-ae78ecaa 

    https://gallery.technet.microsoft.com/scriptcenter/Pull-Azure-AD-Sign-In-3fead683 

     

    Cheers !!

    Ankit Shukla

     

  • First of all, for login events best use the Azure AD sign-in logs directly, as the unified log often displays them with delay (if at all): https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins

     

    Second, just because the users access a given application it doesn't mean they do a full-blown login. The application can reuse an already issued refresh token, and until its validity expires, you will not see any login events for the given user/app combo. But 7 days is long enough period to have at least few users try an app they haven't logged in to in a while, so it seems a bit suspicions and most likely the unified log is acting up again. Which brings us back to my previous point, check the AAD logs.

Resources