Use Azure Active Directory sign-in and audit reports

To look for unusual or suspicious sign-in activity in your Office 365 organization, you can use sign-in and activity reports in Microsoft Azure. You can also view events in the Microsoft Azure Active Directory audit log. This is because your Office 365 subscription includes a free subscription to Azure Active Directory. The first time that you try to access these reports, you have to complete a one-time registration process to get access to the Azure management portal. For more information, see Register your free Azure Active Directory subscription. After you register your Azure AD subscription, you can access the Azure AD reports directly from the Reports page in the Office 365 admin center.

Note: A free subscription to Azure AD isn’t available for trial subscriptions or for organizations with an Office 365 for education subscription.

View Azure AD sign-in and audit reports

  1. In the Office 365 admin center, click Reports > Security & compliance.

  2. Under Auditing, click Azure AD reports (paid Office 365 subscription required).

    As previously explained, you have to register your Azure Active Directory subscription the first time you click this link. To access the registration page, your organization must have a paid Office 365 subscription.

  3. In the Azure management portal, on the Active Directory tab, click the name of your organization.

  4. On the organization page, select Reports.

    Shows the Organization page for the Contoso organization. The Reports option is highlighted.
  5. Specify the time period that you want to search.

    A close-up view of the Reports page, where you can enter the time period and user name that you want to gather activity reports for.

    To view a report, click the report in the list.

    Shows the Reports page of the Active Directory tab in the Azure management portal. Report categories of Licensing, Anamalous Activity, Activity Logs, and Integrated Applications are expanded to show the specific reports available in the category.
  6. You will be taken to a detailed page for that specific report. To view another report, select it from the list in the left panel or click the arrow to return to the Reports page.

    Shows the page for the "Sign ins from unknown sources" report, available from the Reports page of the Active Directory tab in the Azure management portal.

Reports are available for licensing, anomalous activity, activity logs, integrated applications, and external access. Premium reports require an Azure AD Premium subscription. For details about the reports, see View your access and usage reports.

View activity reports for a user

  1. In the Office 365 admin center, click Reports > Security & compliance.

  2. Under Auditing, click Azure AD reports (paid Office 365 subscription required).

  3. In the Azure management portal, on the Active Directory tab, click the name of your organization.

  4. On the Users tab, click the user that your want to view activity reports for.

  5. On the user’s properties page, click Activity.

Events for the last 30 days are displayed in the list. The activity report includes the date and time that the user signed in, the application signed into, the user’s IP address, the user’s location when signing in, and the type of client device used to sign in. Events are logged for only work or school account sign-ins. Events aren’t logged when the user signs in using a Microsoft account.

For more information about viewing and downloading reports in Azure AD, see View your access and usage reports.

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×