UserLoggedIn events not found in Azure Audit log for about a week

%3CLINGO-SUB%20id%3D%22lingo-sub-739329%22%20slang%3D%22en-US%22%3EUserLoggedIn%20events%20not%20found%20in%20Azure%20Audit%20log%20for%20about%20a%20week%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-739329%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20I%20search%20for%20UserLoggedIn%20events%20in%20my%20Office%20365%20Tenant%2C%20I'm%20unable%20to%20find%20any%20audit%20records%20for%20the%20last%207%20days.%20Whereas%20all%20our%20users%20have%20been%20logging%20in%20and%20out.%20I've%20tested%20one%20of%20our%20test%20tenants%20as%20well%20and%20found%20it%20missing%20as%20well.%20Anyone%20facing%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-739329%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%20center%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAudit%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-740105%22%20slang%3D%22en-US%22%3ERe%3A%20UserLoggedIn%20events%20not%20found%20in%20Azure%20Audit%20log%20for%20about%20a%20week%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-740105%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20of%20all%2C%20for%20login%20events%20best%20use%20the%20Azure%20AD%20sign-in%20logs%20directly%2C%20as%20the%20unified%20log%20often%20displays%20them%20with%20delay%20(if%20at%20all)%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fconcept-sign-ins%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fconcept-sign-ins%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESecond%2C%20just%20because%20the%20users%20access%20a%20given%20application%20it%20doesn't%20mean%20they%20do%20a%20full-blown%20login.%20The%20application%20can%20reuse%20an%20already%20issued%20refresh%20token%2C%20and%20until%20its%20validity%20expires%2C%20you%20will%20not%20see%20any%20login%20events%20for%20the%20given%20user%2Fapp%20combo.%20But%207%20days%20is%20long%20enough%20period%20to%20have%20at%20least%20few%20users%20try%20an%20app%20they%20haven't%20logged%20in%20to%20in%20a%20while%2C%20so%20it%20seems%20a%20bit%20suspicions%20and%20most%20likely%20the%20unified%20log%20is%20acting%20up%20again.%20Which%20brings%20us%20back%20to%20my%20previous%20point%2C%20check%20the%20AAD%20logs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-772978%22%20slang%3D%22en-US%22%3ERe%3A%20UserLoggedIn%20events%20not%20found%20in%20Azure%20Audit%20log%20for%20about%20a%20week%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-772978%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170917%22%20target%3D%22_blank%22%3E%40Tony%20Oscar%3C%2FA%3E%26nbsp%3B%20UserLoggedin%20events%20have%20been%20problematic%20and%20is%20still%20in%20a%20stage%20where%20it%20cant%20be%20called%20reliable.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20is%20to%20use%20Azure%20AD%20Login%20reports%20from%20AAD.%20you%20may%20additionally%20use%20PowerShell%20to%20fetch%20this%20-%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgallery.technet.microsoft.com%2Fscriptcenter%2FPull-Azure-AD-Audit-Report-ae78ecaa%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgallery.technet.microsoft.com%2Fscriptcenter%2FPull-Azure-AD-Audit-Report-ae78ecaa%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgallery.technet.microsoft.com%2Fscriptcenter%2FPull-Azure-AD-Sign-In-3fead683%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgallery.technet.microsoft.com%2Fscriptcenter%2FPull-Azure-AD-Sign-In-3fead683%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%20!!%3C%2FP%3E%3CP%3EAnkit%20Shukla%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

When I search for UserLoggedIn events in my Office 365 Tenant, I'm unable to find any audit records for the last 7 days. Whereas all our users have been logging in and out. I've tested one of our test tenants as well and found it missing as well. Anyone facing this?

2 Replies
Highlighted

First of all, for login events best use the Azure AD sign-in logs directly, as the unified log often displays them with delay (if at all): https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins

 

Second, just because the users access a given application it doesn't mean they do a full-blown login. The application can reuse an already issued refresh token, and until its validity expires, you will not see any login events for the given user/app combo. But 7 days is long enough period to have at least few users try an app they haven't logged in to in a while, so it seems a bit suspicions and most likely the unified log is acting up again. Which brings us back to my previous point, check the AAD logs.

Highlighted

@Tony Oscar  UserLoggedin events have been problematic and is still in a stage where it cant be called reliable.

 

Best is to use Azure AD Login reports from AAD. you may additionally use PowerShell to fetch this - 

https://gallery.technet.microsoft.com/scriptcenter/Pull-Azure-AD-Audit-Report-ae78ecaa 

https://gallery.technet.microsoft.com/scriptcenter/Pull-Azure-AD-Sign-In-3fead683 

 

Cheers !!

Ankit Shukla