SignInLogs are not showing in Log Analytics / Azure Monitor

%3CLINGO-SUB%20id%3D%22lingo-sub-1692381%22%20slang%3D%22en-US%22%3ESignInLogs%20are%20not%20showing%20in%20Log%20Analytics%20%2F%20Azure%20Monitor%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1692381%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20followed%20the%20steps%20to%20create%20an%20%3CSTRONG%3ELog%20Analytics%3C%2FSTRONG%3E%20workspace%2C%20and%20configured%20the%20%3CSTRONG%3EDiagnostic%20Settings%3C%2FSTRONG%3E%20in%20Azure%20AD%20to%20send%20the%20%3CSTRONG%3ESignInLogs%3C%2FSTRONG%3E%20and%20%3CSTRONG%3EAuditLogs%3C%2FSTRONG%3E%20to%20%3CSTRONG%3ELogAnalytics%3C%2FSTRONG%3E.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EHowever%2C%20I%20cannot%20see%20the%26nbsp%3B%3CSTRONG%3ESignInLogs%3C%2FSTRONG%3E%3B%20I%26nbsp%3Bonly%20see%20events%20from%20%3CSTRONG%3EAuditLogs%3C%2FSTRONG%3E%20available%20in%20%3CSTRONG%3ELog%20Analytics%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20believe%20I%20have%20met%20the%20prerequisites%20on%20licensing%20by%20means%20of%20a%20trial%20of%20%3CSTRONG%3EAzure%20AD%20Premium%20P2%3C%2FSTRONG%3E%20license.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anybody%20know%20why%20it's%20only%20sending%20out%20the%20%3CSTRONG%3EAuditLogs%3C%2FSTRONG%3E%20and%20not%20the%20%3CSTRONG%3ESignInLogs%3C%2FSTRONG%3E%20to%20%3CSTRONG%3ELog%20Analytics%3C%2FSTRONG%3E%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1692381%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Monitor%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELog%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1698349%22%20slang%3D%22en-US%22%3ERe%3A%20SignInLogs%20are%20not%20showing%20in%20Log%20Analytics%20%2F%20Azure%20Monitor%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1698349%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F6399%22%20target%3D%22_blank%22%3E%40Ben%20Owens%3C%2FA%3E%26nbsp%3BThis%20can%20take%20a%20while%20before%20showing%20up.%20How%20long%20did%20you%20wait%3F%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I have followed the steps to create an Log Analytics workspace, and configured the Diagnostic Settings in Azure AD to send the SignInLogs and AuditLogs to LogAnalytics.

However, I cannot see the SignInLogs; I only see events from AuditLogs available in Log Analytics.

 

I believe I have met the prerequisites on licensing by means of a trial of Azure AD Premium P2 license.

 

Does anybody know why it's only sending out the AuditLogs and not the SignInLogs to Log Analytics?

5 Replies
Highlighted

@Ben Owens This can take a while before showing up. How long did you wait? :smile:

Highlighted

Thanks @JanBakker330 .  I left it running on Friday afternoon, over the weekend but saw no results.

 

When I've set this up on other tenants, I usually see some data after an hour or so.  The fact I can see the AuditLogs after 15-30 mins but no the SigninLogs suggested (to me) that I had missed at step or needed a licensing prereq.

 

On the Monday, I ended up creating a new Resource Group, new LogAnalytics workspace.  I then removed and then re-added the Diagnostics Settings (pointing to the new LogAnalytics workspace.  Same result so far....  AuditLogs only.

Any other suggestions welcome.

 

I've logged a ticket with MS support as I think I've met the requirements.  I'll update the thread with the outcome of the ticket.

Highlighted

@JanBakker330raised the ticket with Microsoft but no real insight from them.

Interestingly, this appeared to be a license issue (from what I can gather).

We previously signed up to an Azure AD Premium P2 license (25 licenses) to unlock the ability to send the SigninLogs logs. However, after waiting a few days, no SignInLogs.

Whilst I was waiting for it to start working, some Azure AD Premium P1 licenses were purchased and assigned to the tenant (not assigned to any users though).  Within about 30 minutes of those showing in the tenant, the SignInLogs showed up in LogAnalytics.

 

So if anybody hits this issue when using a trial Azure AD Premium license, I would advise purchasing 1 Azure AD Premium P1 license instead to see if that kicks it into action.

Highlighted
It did work for AuditLogs but not for SigninLogs. I tried with various time rages as well.
The funny thing is that I do see logs under 'Sign-ins' in the 'Monitor' blade of Azure AD.
But somehow these logs don't show up in my log analytics.
Highlighted

@Lewis-H I never saw that SignInLogs in Log Analytics Workspace until it started sending data there.

On licensing, do you have paid for Azure AD Premium P1 or P2 license/s in place or trial ones?