SignInLogs are not showing in Log Analytics / Azure Monitor

Contributor

I have followed the steps to create an Log Analytics workspace, and configured the Diagnostic Settings in Azure AD to send the SignInLogs and AuditLogs to LogAnalytics.

However, I cannot see the SignInLogs; I only see events from AuditLogs available in Log Analytics.

 

I believe I have met the prerequisites on licensing by means of a trial of Azure AD Premium P2 license.

 

Does anybody know why it's only sending out the AuditLogs and not the SignInLogs to Log Analytics?

27 Replies

@Ben Owens This can take a while before showing up. How long did you wait? :smile:

Thanks @JanBakkerOrphaned .  I left it running on Friday afternoon, over the weekend but saw no results.

 

When I've set this up on other tenants, I usually see some data after an hour or so.  The fact I can see the AuditLogs after 15-30 mins but no the SigninLogs suggested (to me) that I had missed at step or needed a licensing prereq.

 

On the Monday, I ended up creating a new Resource Group, new LogAnalytics workspace.  I then removed and then re-added the Diagnostics Settings (pointing to the new LogAnalytics workspace.  Same result so far....  AuditLogs only.

Any other suggestions welcome.

 

I've logged a ticket with MS support as I think I've met the requirements.  I'll update the thread with the outcome of the ticket.

@JanBakkerOrphanedraised the ticket with Microsoft but no real insight from them.

Interestingly, this appeared to be a license issue (from what I can gather).

We previously signed up to an Azure AD Premium P2 license (25 licenses) to unlock the ability to send the SigninLogs logs. However, after waiting a few days, no SignInLogs.

Whilst I was waiting for it to start working, some Azure AD Premium P1 licenses were purchased and assigned to the tenant (not assigned to any users though).  Within about 30 minutes of those showing in the tenant, the SignInLogs showed up in LogAnalytics.

 

So if anybody hits this issue when using a trial Azure AD Premium license, I would advise purchasing 1 Azure AD Premium P1 license instead to see if that kicks it into action.

It did work for AuditLogs but not for SigninLogs. I tried with various time rages as well.
The funny thing is that I do see logs under 'Sign-ins' in the 'Monitor' blade of Azure AD.
But somehow these logs don't show up in my log analytics.

@Lewis-H I never saw that SignInLogs in Log Analytics Workspace until it started sending data there.

On licensing, do you have paid for Azure AD Premium P1 or P2 license/s in place or trial ones?

@Ben Owens hello

 

we have pretty same issue - we have p2 trial license and we can see audit logs, however sign in logs are not coming

 

have you resolved the issue for yourself? what can you recommend?

 

thanks in advance

@tetlika I just enabled this on my brand new tenant. Let's see if these logs come through and how long it takes. Right after configuring, de audit logs are showing up. I assume sign-in logs are following soon. 

I have a dev subscription with P2. Let's wait for 24 hours to see if I got the same problem.  

 

I'll keep you posted. 

@tetlika could you purchase 1 Azure AD P1 license. Looking back at the thread, after I purchased a AAD P1 license, the sign-in logs appeared to start populating relatively quickly.  That could simply have been a coincidence though and maybe I should have just waited longer.

@JanBakkerOrphaned in a dev tenant with the M365 E5 licenses, I've generally found the sign-in logs to start populating relatively quickly; within a day.

 

I'll be interested to know how long it takes your to show up.

@Ben Owens thanks for reply, and how long have you been waiting btw?

@tetlika in a dev tenant or with production tenant with a paid for AAD P1 or P2 license (as opposed to a trial license) I've found the logs start coming into LogAnayltics within 1hr.

@Ben Owens more than 24 hours are past, but only audit and Usage logs are shown. 

Will check after another 24 hours. 

@JanBakkerOrphaned Did you end up getting this sorted. I have a tenant with Office 365 E3 licensing that comes with Azure AD Premium P1 licenses but I am not seeing SigninLogs. Do I have to buy a separate license and apply it to make it appear?

problem-with-signinLogs-not-appearing-in-log-analytics-Screenshot 2021-02-16 172849.png

How long have you been waiting for them to come in? @toggenjm 

Out of interest, do you have paid for licenses, or trial licenses?

@Ben Owens 

 

Hi it's  not a matter of License since  the  sign-in activity report is available in all editions of Azure AD.

 

I would suggest to verify that you have one of the  prerequisites : 

  • Users in the Security Administrator, Security Reader, Global Reader, and Report Reader roles
  • Global Administrators
Now its been overnight.
I have Paid Microsoft 365 E3 licenses
I am using my Global Administrator account to try and view the logs and it should have the permissions. As a test I have added it to the above groups and re-logged in but this hasn't made the SignInLogs table appear in Log Analytics

@ibrahimambodji 

 

To ship the logs to a Log Analytics Workspace you need P1 or P2

 

toggenjm_0-1613514824204.png

 

@ibrahimambodji the license does matter to export sign in logs to Log Analytics (Azure Monitor) - https://twitter.com/BenjaminOwens/status/1354701842106650626