Exporting Azure AD Sign-In Logs to Log Analytics

%3CLINGO-SUB%20id%3D%22lingo-sub-1531455%22%20slang%3D%22en-US%22%3EExporting%20Azure%20AD%20Sign-In%20Logs%20to%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1531455%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHoping%20someone%20could%20help%20here.%20I've%20got%20an%20Azure%20AD%20tenant%20where%20I'm%20trying%20to%20export%20Sign-In%20logs%20to%20a%20Log%20Analytics%20workspace.%20The%20AD%20tenant%20was%20licensed%20as%20%22Azure%20AD%20for%20Office%20365%22%20and%20I%20am%20aware%20of%20the%20prerequisite%20for%20Premium%20P1%2FP2%20licensing%20for%20this%20functionality.%20I've%20activated%20a%20trial%20for%20100%20licenses%2C%20and%20have%20assigned%20those%20licenses%20to%20the%20users%20I'm%20wishing%20to%20export%20the%20sign-in%20logs%20for.%20Problem%20is%2C%20I'm%20not%20seeing%20any%20actual%20data.%20I've%20given%20it%20a%20few%20hours%20and%20as%20a%20test%2C%20have%20confirmed%20that%20I%20am%20able%20to%20export%20the%20Activity%20Logs.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20have%20any%20thoughts%20on%20where%20I'm%20going%20wrong%3F%20Does%20every%20user%20in%20the%20AAD%20tenant%20need%20to%20be%20licensed%20for%20this%20functionality%3F%20I%20have%20confirmed%20that%20the%20tenant%20itself%20is%20now%20licensed%20for%20Premium%20P2%2C%20but%20can't%20for%20the%20life%20of%20me%20figure%20out%20what's%20going%20on%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1531455%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1533205%22%20slang%3D%22en-US%22%3ERe%3A%20Exporting%20Azure%20AD%20Sign-In%20Logs%20to%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1533205%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F168596%22%20target%3D%22_blank%22%3E%40Darren%20Roback%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHave%20they%20shown%20up%20yet%3F%26nbsp%3B%20It%20can%20take%2015mins%2B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fhowto-integrate-activity-logs-with-log-analytics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fhowto-integrate-activity-logs-with-log-analytics%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1533216%22%20slang%3D%22en-US%22%3ERe%3A%20Exporting%20Azure%20AD%20Sign-In%20Logs%20to%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1533216%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3Bthanks%20for%20the%20reply%20and%20understood.%20I%20left%20the%20config%20in%20place%20for%20several%20hours%20and%20no%20sign-in%20data%20has%20been%20exported.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20separate%20AAD%20tenant%20that%20I%20was%20able%20to%20get%20this%20working%20on%2C%20and%20this%20left%20me%20wondering%20whether%20this%20was%20a%20license%20issue.%20In%20the%20tenant%20I%20had%20tried%20(initially)%2C%20I%20have%20several%20hundred%20users.%20I%20activated%20an%20AAD%20Premium%20license%20and%20applied%20it%20to%20those%20I%20was%20seeking%20to%20export%20sign-in%20data%20on%2C%20but%20this%20didn't%20work.%20This%20has%20left%20me%20wondering%20if%20(potentially%20all%3F)%20users%20need%20to%20be%20licensed%20for%20AAD%20Premium%3F%20Or%20will%20a%20subset%20work%3F%20Fairly%20confident%20this%20is%20where%20the%20issue%20lies%2C%20but%20haven't%20been%20able%20to%20get%20any%20clarity%20on%20the%20licensing%20piece.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1533327%22%20slang%3D%22en-US%22%3ERe%3A%20Exporting%20Azure%20AD%20Sign-In%20Logs%20to%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1533327%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F168596%22%20target%3D%22_blank%22%3E%40Darren%20Roback%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fconcept-sign-ins%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fconcept-sign-ins%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EIf%20you%20want%20to%20access%20the%20sign-in%20data%20using%20an%20API%2C%20your%20tenant%20must%20have%20an%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Factive-directory-get-started-premium%22%20data-linktype%3D%22relative-path%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Active%20Directory%20Premium%3C%2FA%3E%26nbsp%3Blicense%20associated%20with%20it.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EI%20suspect%20like%20do%2C%20it%20needs%20to%20be%20all%20users%20in%20the%20tenant%20-%20sorry%20maybe%20someone%26nbsp%3Belse%26nbsp%3Bknows%20for%20sure.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1533743%22%20slang%3D%22en-US%22%3ERe%3A%20Exporting%20Azure%20AD%20Sign-In%20Logs%20to%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1533743%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20spoke%20with%20Microsoft%20support%20and%20wanted%20to%20share%20some%20feedback.%20The%20Azure%20AD%20tenant%20needs%20to%20be%20licensed%20at%20a%20premium%20level%2C%20but%20this%20license%20does%20not%20need%20to%20be%20assigned%20to%20all%20users%20in%20the%20tenant.%20Best%20way%20to%20check%20that%20you%20meet%20the%20prerequisite%20is%20to%20check%20from%20the%20Azure%20AD%20Overview%20page%20within%20the%20portal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20other%20piece%20here%20is%20that%20the%20team%20is%20aware%20of%20a%20delay%20in%20exporting%20sign-in%20logs%2C%20and%20that%20this%20could%20result%20in%20up%20to%20a%20few%20days%20between%20the%20time%20it's%20configured%20and%20the%20time%20logs%20are%20actually%20exported.%20The%20development%20team%20is%20aware%20of%20the%20issue%20and%20is%20working%20through%20an%20update%20to%20address.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20actually%20checked%20the%20configuration%20again%20this%20morning%20and%20now%20I%20have%20log%20data%20being%20streamed.%20Just%20didn't%20give%20it%20long%20enough.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers!%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi Team, 

 

Hoping someone could help here. I've got an Azure AD tenant where I'm trying to export Sign-In logs to a Log Analytics workspace. The AD tenant was licensed as "Azure AD for Office 365" and I am aware of the prerequisite for Premium P1/P2 licensing for this functionality. I've activated a trial for 100 licenses, and have assigned those licenses to the users I'm wishing to export the sign-in logs for. Problem is, I'm not seeing any actual data. I've given it a few hours and as a test, have confirmed that I am able to export the Activity Logs. 

 

Anyone have any thoughts on where I'm going wrong? Does every user in the AAD tenant need to be licensed for this functionality? I have confirmed that the tenant itself is now licensed for Premium P2, but can't for the life of me figure out what's going on here.

 

Thanks!

4 Replies

@Clive Watson thanks for the reply and understood. I left the config in place for several hours and no sign-in data has been exported. 

 

I have a separate AAD tenant that I was able to get this working on, and this left me wondering whether this was a license issue. In the tenant I had tried (initially), I have several hundred users. I activated an AAD Premium license and applied it to those I was seeking to export sign-in data on, but this didn't work. This has left me wondering if (potentially all?) users need to be licensed for AAD Premium? Or will a subset work? Fairly confident this is where the issue lies, but haven't been able to get any clarity on the licensing piece.

Hi @Darren Roback 

 

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins

 

If you want to access the sign-in data using an API, your tenant must have an Azure Active Directory Premium license associated with it.

 

I suspect like do, it needs to be all users in the tenant - sorry maybe someone else knows for sure.

Hi @Clive Watson 

 

I just spoke with Microsoft support and wanted to share some feedback. The Azure AD tenant needs to be licensed at a premium level, but this license does not need to be assigned to all users in the tenant. Best way to check that you meet the prerequisite is to check from the Azure AD Overview page within the portal.

 

The other piece here is that the team is aware of a delay in exporting sign-in logs, and that this could result in up to a few days between the time it's configured and the time logs are actually exported. The development team is aware of the issue and is working through an update to address.

 

I actually checked the configuration again this morning and now I have log data being streamed. Just didn't give it long enough. :)

 

Cheers!