Forum Discussion
Darren Roback
Jul 19, 2020Copper Contributor
Exporting Azure AD Sign-In Logs to Log Analytics
Hi Team,
Hoping someone could help here. I've got an Azure AD tenant where I'm trying to export Sign-In logs to a Log Analytics workspace. The AD tenant was licensed as "Azure AD for Office 365" and I am aware of the prerequisite for Premium P1/P2 licensing for this functionality. I've activated a trial for 100 licenses, and have assigned those licenses to the users I'm wishing to export the sign-in logs for. Problem is, I'm not seeing any actual data. I've given it a few hours and as a test, have confirmed that I am able to export the Activity Logs.
Anyone have any thoughts on where I'm going wrong? Does every user in the AAD tenant need to be licensed for this functionality? I have confirmed that the tenant itself is now licensed for Premium P2, but can't for the life of me figure out what's going on here.
Thanks!
- CliveWatson
Microsoft
Have they shown up yet? It can take 15mins+ https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics
- Darren RobackCopper Contributor
CliveWatson thanks for the reply and understood. I left the config in place for several hours and no sign-in data has been exported.
I have a separate AAD tenant that I was able to get this working on, and this left me wondering whether this was a license issue. In the tenant I had tried (initially), I have several hundred users. I activated an AAD Premium license and applied it to those I was seeking to export sign-in data on, but this didn't work. This has left me wondering if (potentially all?) users need to be licensed for AAD Premium? Or will a subset work? Fairly confident this is where the issue lies, but haven't been able to get any clarity on the licensing piece.
- CliveWatson
Microsoft
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
If you want to access the sign-in data using an API, your tenant must have an Azure Active Directory Premium license associated with it.
I suspect like do, it needs to be all users in the tenant - sorry maybe someone else knows for sure.