Forum Discussion
SignInLogs are not showing in Log Analytics / Azure Monitor
I have followed the steps to create an Log Analytics workspace, and configured the Diagnostic Settings in Azure AD to send the SignInLogs and AuditLogs to LogAnalytics.
However, I cannot see the SignInLogs; I only see events from AuditLogs available in Log Analytics.
I believe I have met the prerequisites on licensing by means of a trial of Azure AD Premium P2 license.
Does anybody know why it's only sending out the AuditLogs and not the SignInLogs to Log Analytics?
- ibnmbodjiSteel Contributor
Hi it's not a matter of License since the sign-in activity report is available in all editions of Azure AD.
I would suggest to verify that you have one of the prerequisites :
- Users in the Security Administrator, Security Reader, Global Reader, and Report Reader roles
- Global Administrators
- Ben OwensBrass Contributor
ibnmbodji the license does matter to export sign in logs to Log Analytics (Azure Monitor) - https://twitter.com/BenjaminOwens/status/1354701842106650626
- Russell McKeeCopper Contributor
I had this in a real tenant with AAD P1. I waited over 1 week. I thought i was going crazy (bad config etc), but all checked out correctly.
I raised a ticket with Microsoft yesterday with the details of the tenant, screenshots etc. Had a call back today saying its all fixed. There was a global issue causing the SignInLogs to not be sent to Log Analytics. He didnt expand on the problem, but informed me Microsoft had a team of engineers looking to fix this for other customers. By the time we then checked our tenant, it was fixed anyway! So worth raising with Microsoft of you have set it up correctly and have the correct licenses etc.
- toggenjmCopper Contributor
- toggenjmCopper ContributorI am using my Global Administrator account to try and view the logs and it should have the permissions. As a test I have added it to the above groups and re-logged in but this hasn't made the SignInLogs table appear in Log Analytics
- JanBakkerOrphanedSteel Contributor
tetlika I just enabled this on my brand new tenant. Let's see if these logs come through and how long it takes. Right after configuring, de audit logs are showing up. I assume sign-in logs are following soon.
I have a dev subscription with P2. Let's wait for 24 hours to see if I got the same problem.
I'll keep you posted.
- Ben OwensBrass Contributor
JanBakkerOrphaned in a dev tenant with the M365 E5 licenses, I've generally found the sign-in logs to start populating relatively quickly; within a day.
I'll be interested to know how long it takes your to show up.
- Lewis-HIron ContributorIt did work for AuditLogs but not for SigninLogs. I tried with various time rages as well.
The funny thing is that I do see logs under 'Sign-ins' in the 'Monitor' blade of Azure AD.
But somehow these logs don't show up in my log analytics. - JanBakkerOrphanedSteel Contributor
Ben Owens This can take a while before showing up. How long did you wait?
- Ben OwensBrass Contributor
JanBakkerOrphanedraised the ticket with Microsoft but no real insight from them.
Interestingly, this appeared to be a license issue (from what I can gather).
We previously signed up to an Azure AD Premium P2 license (25 licenses) to unlock the ability to send the SigninLogs logs. However, after waiting a few days, no SignInLogs.
Whilst I was waiting for it to start working, some Azure AD Premium P1 licenses were purchased and assigned to the tenant (not assigned to any users though). Within about 30 minutes of those showing in the tenant, the SignInLogs showed up in LogAnalytics.So if anybody hits this issue when using a trial Azure AD Premium license, I would advise purchasing 1 Azure AD Premium P1 license instead to see if that kicks it into action.
- Ben OwensBrass Contributor
Thanks JanBakkerOrphaned . I left it running on Friday afternoon, over the weekend but saw no results.
When I've set this up on other tenants, I usually see some data after an hour or so. The fact I can see the AuditLogs after 15-30 mins but no the SigninLogs suggested (to me) that I had missed at step or needed a licensing prereq.
On the Monday, I ended up creating a new Resource Group, new LogAnalytics workspace. I then removed and then re-added the Diagnostics Settings (pointing to the new LogAnalytics workspace. Same result so far.... AuditLogs only.
Any other suggestions welcome.I've logged a ticket with MS support as I think I've met the requirements. I'll update the thread with the outcome of the ticket.