Lepide Introduces Microsoft 365 Copilot Security in Data Security Platform 24.4Learn more
  • Home
  • How-to
  • How to Check Entra ID (Azure AD) Activity/Audit Logs

How to Check Entra ID (Azure AD) Activity/Audit Logs

6 min read | Published On - April 02, 2025
Audit Entra ID changes with Lepide Auditor
x
In This Article

Microsoft Entra ID, formerly known as Azure Active Directory (Azure AD), is a cloud-based identity and access management service that employees can use to access external resources. These resources include Microsoft 365, the Azure portal, and many other SaaS applications.

By the continuous monitoring of network traffic and analysis of user behavior, Entra ID identifies any suspicious activities, detects unauthorized applications and stops unauthorized access attempts, ensuring that only trusted and secure applications operate on the system.

However, monitoring this activity can be a difficult task using manual tools. The Entra audit log stores data on a directory-by-directory basis, so to search for data across different directories, you need to run the same search multiple times. In addition, the native event log filters don’t contain an exclude function, so to filter out white-listed applications, you will need to export the log data into a CSV file and analyze it from there.

In this guide to auditing Entra ID activity logs, we will look at the types of activity logs generated by Entra ID and how they can be monitored to provide a more secure and compliant Microsoft 365 environment. We will then look at how the Lepide Auditor can help with the auditing of Entra ID.

Different Types of Activity Logs in Entra ID

Entra ID provides several different types of logs that allow administrators to monitor activity, respond to issues, and maintain the security of their organization. In this guide, we will look at Entra ID Activity Logs which are described below:

Activity Logs: These logs provide insights into the operation of a directory. These include information about users and group management, service status, and more. Activity logs are divided into two further types:

  1. Audit Logs: These logs record changes applied to your tenant, such as users and group management or updates applied to your tenant’s resources. They help administrators track changes made in their environment and understand the cause of such changes.
  2. Sign-in Logs: These logs provide information about who signed in, when, where, and through what method. They are a powerful tool for IT administrators to analyze and gain insights into how users access applications and services.

How to Monitor your Entra Id Logs

There are various built-in tools and services provided by Microsoft to monitor and report on Entra ID activity logs in Microsoft 365 and these are given below:

  1. Entra ID Portal
  2. Microsoft 365 Admin Center
  3. Azure Monitor
  4. Microsoft Graph API

Entra ID Portal

Sign-in Logs: You can access sign-in logs directly from the Entra ID portal. To do this follow the steps below:

  • Navigate to Microsoft Entra, select Monitoring, Sign-ins.
  • Here, you can view details about each sign-in event, including the user, location, date and time, and status of the sign-in.

Audit Logs: In a similar way, you can view audit logs as follows:

  • Navigate to Microsoft Entra, Monitoring, Audit logs.
  • These logs provide information about changes made within your Azure AD, such as user and group management activities.

Microsoft 365 Admin Center

Security and Compliance Center: The Microsoft 365 Security & Compliance Center provides a variety of reports related to security and compliance, including Entra ID logs.

  • Navigate to https://protection.office.com and sign in with your admin account.
  • Here, you can access reports like Risky sign-ins, Users flagged for risk, and more.

Audit Log Search: The Audit Log Search tool allows you to search the unified audit log in Microsoft 365. To access this:

  • Go to Security & Compliance Center, Search & Investigation, Audit log search.
  • Here, you can search for specific events or filter by date range, users, activities, etc.

Azure Monitor

Azure Monitor is a service that collects, analyzes, and responds to monitoring data from your cloud and on-premises environments. It provides an understanding as to how your applications are performing and identifies and allows you to respond to any issues affecting them.

Microsoft Graph API

The Microsoft Graph API provides a unified programmability model that you can use to access your Entra ID logs. This allows you to integrate Entra logs with your own custom applications or third-party SIEM tools. You can also use the Microsoft Graph API to view sign-in logs and audit logs.

Limitations of Entra ID Audit Logs

Entra ID audit logs provide a centralized location to monitor changes and activities across your Microsoft 365 environment. This single pane of glass reporting enables administrators to easily identify patterns, anomalies, and any potential security risks.

However, while Azure AD audit logs provide an insight into changes, they do not provide automated configuration backups. Other limitations include:

  • There are no automatic backups with additional tools or manual processes often being required for recovering an Entra ID configuration.
  • Logs alone cannot perform granular restores of individual settings or configurations as a separate backup and restore solution is required.
  • For organizations managing multiple tenants, Entra ID logs do not multi-tenant management capabilities which potentially complicates standardization and consistency efforts.
  • Entra ID logs have retention limitations unless extended storage is applied through external solutions like Azure Monitor or third-party tools.
  • Audit logs often generate vast amounts of data, which requires manual analysis or external tools to gain visibility over activity. Also, logs are spread across different areas which requires extensive time and effort to correlate data.
  • Interpreting audit logs may require expert knowledge, which can pose a challenge for organizations without dedicated IT security capability.

How Lepide Auditor Helps in Entra ID Auditing

The Lepide Auditor for Entra ID allows you to report across all your audit data at once using pre-defined reports. You can choose which audit logs you want to see to prioritize the most important data to focus on. Alerts can be set up to notify you about suspicious activity to mitigate risk and prevent a data breach. In addition, our Microsoft Entra ID auditing tool enables you to store your log files for compliance and investigation purposes.

To see all changes which have occurred in Entra ID, you can run the All Azure AD Changes Report. An example of this is shown below:
Lepide Entra ID Audit Report

To run this report:

  • Select Lepide Auditor, Reports
  • From here, expand Azure AD
  • Select All Azure AD Changes
  • Specify a time frame if required
  • Select Generate Report

The report is generated and can be filtered, sorted and exported to CSV and PDF formats.

Related Articles:
Related Solutions:
See How Lepide Entra ID Auditing Solution Works
x
Learn More...

Audit Entra ID changes with Lepide Auditor

x
Learn More...
Solutions
Platform
Company
Microsoft partner gold application development DMCA.com Protection Status