Forum Discussion

MahmoudElfawairr's avatar
MahmoudElfawairr
Copper Contributor
Mar 18, 2025

Clarification on AADSignInEventsBeta vs. IdentityLogonEvents Logs

Hey everyone,

I’ve been reading up on the AADSignInEventsBeta table and got a bit confused. From what I understand, the AADSignInEventsBeta table is in beta and is only available for those with a Microsoft Entra ID P2 license. The idea is that the sign-in schema will eventually move over to the IdentityLogonEvents table.

What I’m unsure about is whether the data from the AADSignInEventsBeta table has already been migrated to the IdentityLogonEvents table, or if they’re still separate for now.

Can anyone clarify this for me?

Thanks in advance for your help!

microsoft sentinel

1 Reply

  • Lucaraheller's avatar
    Lucaraheller
    MCT
    Apr 16, 2026

    Hi,

    Great question. This causes confusion for many people because both tables can contain authentication-related signals, but they are not a direct 1:1 replacement at this stage.

    Short answer

    No, the data from AADSignInEventsBeta has not simply been “moved” entirely into IdentityLogonEvents as a full migration.

    Today, these tables still serve different purposes and can coexist depending on licensing, data sources, and portal evolution.

    How to think about each table

    AADSignInEventsBeta

    This table was introduced to expose Microsoft Entra ID (Azure AD) sign-in activity in Advanced Hunting.

    Typical focus:

    • Interactive sign-ins
      • Non-interactive sign-ins
      • Cloud authentication context
      • Conditional Access related signals
      • Entra ID sign-in telemetry

    It has historically required the appropriate Entra ID licensing.

    IdentityLogonEvents

    This table is broader and focuses on identity authentication activity across multiple sources, not only Entra ID.

    Typical focus:

    • User logons
      • Authentication activity
      • Endpoint + identity correlation
      • Hybrid identity scenarios
      • Defender XDR normalized identity telemetry

    Current reality

    They are still separate tables with overlapping use cases.

    Microsoft has been gradually normalizing schemas across Defender XDR tables, so some newer hunting scenarios may prefer IdentityLogonEvents, but AADSignInEventsBeta is still relevant in many environments.

    My recommendation

    Use:

    AADSignInEventsBeta when you need:

    • Detailed Entra sign-in context
      • Cloud sign-in investigation
      • Conditional Access visibility
      • Legacy existing queries

    IdentityLogonEvents when you need:

    • Cross-domain hunting
      • Identity + device correlation
      • Unified authentication investigations
      • Broader XDR detection logic

    Practical approach

    Run both and compare coverage in your tenant:

    AADSignInEventsBeta | take 10 IdentityLogonEvents | take 10

    You will usually notice schema differences and different event sources.

    Important note

    Because Microsoft continuously evolves hunting schemas, it is a good habit to monitor documentation updates and schema deprecation notices before redesigning detections.

    Short conclusion

    No full migration yet. They currently coexist, overlap in some areas, and are used for different investigation scenarios.

    Hope this helps.