UserLoggedIn events not found in Azure Audit log for about a week

New Contributor

When I search for UserLoggedIn events in my Office 365 Tenant, I'm unable to find any audit records for the last 7 days. Whereas all our users have been logging in and out. I've tested one of our test tenants as well and found it missing as well. Anyone facing this?

2 Replies

First of all, for login events best use the Azure AD sign-in logs directly, as the unified log often displays them with delay (if at all): https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins

 

Second, just because the users access a given application it doesn't mean they do a full-blown login. The application can reuse an already issued refresh token, and until its validity expires, you will not see any login events for the given user/app combo. But 7 days is long enough period to have at least few users try an app they haven't logged in to in a while, so it seems a bit suspicions and most likely the unified log is acting up again. Which brings us back to my previous point, check the AAD logs.

@Tony Oscar  UserLoggedin events have been problematic and is still in a stage where it cant be called reliable.

 

Best is to use Azure AD Login reports from AAD. you may additionally use PowerShell to fetch this - 

https://gallery.technet.microsoft.com/scriptcenter/Pull-Azure-AD-Audit-Report-ae78ecaa 

https://gallery.technet.microsoft.com/scriptcenter/Pull-Azure-AD-Sign-In-3fead683 

 

Cheers !!

Ankit Shukla