Forum Discussion

Ben Owens's avatar
Ben Owens
Brass Contributor
Sep 21, 2020

SignInLogs are not showing in Log Analytics / Azure Monitor

I have followed the steps to create an Log Analytics workspace, and configured the Diagnostic Settings in Azure AD to send the SignInLogs and AuditLogs to LogAnalytics.

However, I cannot see the SignInLogs; I only see events from AuditLogs available in Log Analytics.

 

I believe I have met the prerequisites on licensing by means of a trial of Azure AD Premium P2 license.

 

Does anybody know why it's only sending out the AuditLogs and not the SignInLogs to Log Analytics?

  • tetlika's avatar
    tetlika
    Copper Contributor

    Ben Owens hello

     

    we have pretty same issue - we have p2 trial license and we can see audit logs, however sign in logs are not coming

     

    have you resolved the issue for yourself? what can you recommend?

     

    thanks in advance

    • JanBakkerOrphaned's avatar
      JanBakkerOrphaned
      Steel Contributor

      tetlika I just enabled this on my brand new tenant. Let's see if these logs come through and how long it takes. Right after configuring, de audit logs are showing up. I assume sign-in logs are following soon. 

      I have a dev subscription with P2. Let's wait for 24 hours to see if I got the same problem.  

       

      I'll keep you posted. 

      • Ben Owens's avatar
        Ben Owens
        Brass Contributor

        JanBakkerOrphaned in a dev tenant with the M365 E5 licenses, I've generally found the sign-in logs to start populating relatively quickly; within a day.

         

        I'll be interested to know how long it takes your to show up.

    • Ben Owens's avatar
      Ben Owens
      Brass Contributor

      tetlika could you purchase 1 Azure AD P1 license. Looking back at the thread, after I purchased a AAD P1 license, the sign-in logs appeared to start populating relatively quickly.  That could simply have been a coincidence though and maybe I should have just waited longer.

    • Ben Owens's avatar
      Ben Owens
      Brass Contributor

      Thanks JanBakkerOrphaned .  I left it running on Friday afternoon, over the weekend but saw no results.

       

      When I've set this up on other tenants, I usually see some data after an hour or so.  The fact I can see the AuditLogs after 15-30 mins but no the SigninLogs suggested (to me) that I had missed at step or needed a licensing prereq.

       

      On the Monday, I ended up creating a new Resource Group, new LogAnalytics workspace.  I then removed and then re-added the Diagnostics Settings (pointing to the new LogAnalytics workspace.  Same result so far....  AuditLogs only.

      Any other suggestions welcome.

       

      I've logged a ticket with MS support as I think I've met the requirements.  I'll update the thread with the outcome of the ticket.

    • Ben Owens's avatar
      Ben Owens
      Brass Contributor

      JanBakkerOrphanedraised the ticket with Microsoft but no real insight from them.

      Interestingly, this appeared to be a license issue (from what I can gather).

      We previously signed up to an Azure AD Premium P2 license (25 licenses) to unlock the ability to send the SigninLogs logs. However, after waiting a few days, no SignInLogs.

      Whilst I was waiting for it to start working, some Azure AD Premium P1 licenses were purchased and assigned to the tenant (not assigned to any users though).  Within about 30 minutes of those showing in the tenant, the SignInLogs showed up in LogAnalytics.

       

      So if anybody hits this issue when using a trial Azure AD Premium license, I would advise purchasing 1 Azure AD Premium P1 license instead to see if that kicks it into action.

  • Lewis-H's avatar
    Lewis-H
    Iron Contributor
    It did work for AuditLogs but not for SigninLogs. I tried with various time rages as well.
    The funny thing is that I do see logs under 'Sign-ins' in the 'Monitor' blade of Azure AD.
    But somehow these logs don't show up in my log analytics.
    • Ben Owens's avatar
      Ben Owens
      Brass Contributor

      Lewis-H I never saw that SignInLogs in Log Analytics Workspace until it started sending data there.

      On licensing, do you have paid for Azure AD Premium P1 or P2 license/s in place or trial ones?

  • ibnmbodji's avatar
    ibnmbodji
    Steel Contributor

    Ben Owens 

     

    Hi it's  not a matter of License since  the  sign-in activity report is available in all editions of Azure AD.

     

    I would suggest to verify that you have one of the  prerequisites : 

    • Users in the Security Administrator, Security Reader, Global Reader, and Report Reader roles
    • Global Administrators
    • toggenjm's avatar
      toggenjm
      Copper Contributor
      I am using my Global Administrator account to try and view the logs and it should have the permissions. As a test I have added it to the above groups and re-logged in but this hasn't made the SignInLogs table appear in Log Analytics
      • ibnmbodji's avatar
        ibnmbodji
        Steel Contributor

        toggenjm 

        Hi Yes you're right only Audit logs are sent to log analytics when you don't have P1 License.

         
      • ibnmbodji's avatar
        ibnmbodji
        Steel Contributor

        Ben Owens 

         

        Hi yes  it seems that even if you can configure it and send it to log analytics you need P1 license  to query and export data settings . I thought that  i can because of this : 

        How long does Azure AD store the data?

        Activity reports

        HOW LONG DOES AZURE AD STORE THE DATA?Report Azure AD Free Azure AD Premium P1 Azure AD Premium P2
        Audit logs7 days30 days30 days
        Sign-ins7 days30 days30 days
        Azure AD MFA usage30 days30 days30 days

Resources