Tracking the login history of users is an essential task to monitor and detect any suspicious behavior.
Native methods to audit Microsoft 365 login attempts and identify any anomalous activity can be made by using PowerShell or Microsoft Entra ID. Examples of atypical actions might be, for example, unusual login times or repeated login failures. This can help to identify any possible security concerns such as insider threats or brute force attempts. Login attempts can also be audited to identify inactive users, which is an important consideration with regards to security but can also help to manage license requirements in a more efficient way.
This guide will look first at the native methods of PowerShell and Entra ID to view Microsoft 365 login attempts and then a more straightforward solution using the Lepide Auditor.
Method 1 – Using PowerShell
The cmdlet below can be used to generate a list of Microsoft 365 user login attempts. Before running the cmdlet, the following parameters will need to be replaced:
$startDate – the earliest date from which the audit data should be generated
$endDate – the latest date to which the audit data should be generated
Search-UnifiedAuditLog -RecordType 'AzureActiveDirectoryStsLogon' -Operations
'UserLoggedIn','UserLoginFailed' -StartDate $startDate -EndDate $endDate
Method 2 – Using Microsoft Entra ID
An alternative method to access these details is to use Microsoft Entra ID which can track login attempts in your Microsoft 365 environment with audit logs. These logs can be filtered for specific users, groups, or other attributes.
The steps to view Microsoft 365 login attempts using Microsoft Entra ID are as follows:
- Log in to the Microsoft Entra admin center with an account that has at least a Reports Reader role assigned to it
- Choose Identity, Users, All Users
- Select Sign-in Logs in the side panel
This will show you the login history of all users in your tenant. You can filter this report for specific users, user activity, or date ranges by using the Add Filters option.
How Lepide helps
The Lepide Auditor for Microsoft 365 a more straightforward approach to viewing user login activity in Microsoft 365 by using the All Environment Changes report. This report shows all user activity and can be filtered to show only login activity.
To run this report:
- Select Lepide Auditor, Reports
- From here, select the All Environment Changes Report
- Add a filter for the Azure Active Directory component
- Specify a time frame if required
- Select Generate Report
The report is generated and can be filtered, sorted and exported to CSV and PDF formats.