Jul 05 2019 05:51 AM - last edited on Feb 09 2023 02:43 PM by Meenah_Khosraw
Jul 05 2019 05:51 AM - last edited on Feb 09 2023 02:43 PM by Meenah_Khosraw
When I search for UserLoggedIn events in my Office 365 Tenant, I'm unable to find any audit records for the last 7 days. Whereas all our users have been logging in and out. I've tested one of our test tenants as well and found it missing as well. Anyone facing this?
Jul 05 2019 09:46 AM
First of all, for login events best use the Azure AD sign-in logs directly, as the unified log often displays them with delay (if at all): https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
Second, just because the users access a given application it doesn't mean they do a full-blown login. The application can reuse an already issued refresh token, and until its validity expires, you will not see any login events for the given user/app combo. But 7 days is long enough period to have at least few users try an app they haven't logged in to in a while, so it seems a bit suspicions and most likely the unified log is acting up again. Which brings us back to my previous point, check the AAD logs.
Jul 25 2019 12:49 AM
@Tony Oscar UserLoggedin events have been problematic and is still in a stage where it cant be called reliable.
Best is to use Azure AD Login reports from AAD. you may additionally use PowerShell to fetch this -
https://gallery.technet.microsoft.com/scriptcenter/Pull-Azure-AD-Audit-Report-ae78ecaa
https://gallery.technet.microsoft.com/scriptcenter/Pull-Azure-AD-Sign-In-3fead683
Cheers !!
Ankit Shukla