View your access and usage reports
This documentation is part of the Azure Active Directory Reporting Guide.
You can use Azure Active Directory's access and usage reports to gain visibility into the integrity and security of your organization’s directory. With this information, a directory admin can better determine where possible security risks may lie so that they can adequately plan to mitigate those risks.
In the Azure Management Portal, reports are categorized in the following ways:
- Anomaly reports – Contain sign in events that we found to be anomalous. Our goal is to make you aware of such activity and enable you to be able to make a determination about whether an event is suspicious.
- Integrated Application reports – Provides insights into how cloud applications are being used in your organization. Azure Active Directory offers integration with thousands of cloud applications.
- Error reports – Indicate errors that may occur when provisioning accounts to external applications.
- User-specific reports – Display device/sign in activity data for a specific user.
- Activity logs – Contain a record of all audited events within the last 24 hours, last 7 days, or last 30 days, as well as group activity changes, and password reset and registration activity.
- Some advanced anomaly and resource usage reports are only available when you enable Azure Active Directory Premium. Advanced reports help you improve access security, respond to potential threats and get access to analytics on device access and application usage.
- Azure Active Directory Premium and Basic editions are available for customers in China using the worldwide instance of Azure Active Directory. Azure Active Directory Premium and Basic editions are not currently supported in the Microsoft Azure service operated by 21Vianet in China. For more information, contact us at the Azure Active Directory Forum.
|Anomalous activity reports|
|Sign ins from unknown sources||May indicate an attempt to sign in without being traced.|
|Sign ins after multiple failures||May indicate a successful brute force attack.|
|Sign ins from multiple geographies||May indicate that multiple users are signing in with the same account.|
|Sign ins from IP addresses with suspicious activity||May indicate a successful sign in after a sustained intrusion attempt.|
|Sign ins from possibly infected devices||May indicate an attempt to sign in from possibly infected devices.|
|Irregular sign in activity||May indicate events anomalous to users’ sign in patterns.|
|Users with anomalous sign in activity||Indicates users whose accounts may have been compromised.|
|Users with leaked credentials||Users with leaked credentials|
|Audit report||Audited events in your directory|
|Password reset activity||Provides a detailed view of password resets that occur in your organization.|
|Password reset registration activity||Provides a detailed view of password reset registrations that occur in your organization.|
|Self service groups activity||Provides an activity log to all group self service activity in your directory|
|Application usage||Provides a usage summary for all SaaS applications integrated with your directory.|
|Account provisioning activity||Provides a history of attempts to provision accounts to external applications.|
|Password rollover status||Provides a detailed overview of automatic password rollover status of SaaS applications.|
|Account provisioning errors||Indicates an impact to users’ access to external applications.|
|RMS usage||Provides a summary for Rights Management usage|
|Most active RMS users||Lists top 1000 active users who accessed RMS-protected files|
|RMS device usage||Lists devices used for accessing RMS-protected files|
|RMS enabled application usage||Provides usage of RMS enabled applications|
|Anomalous activity reports|
|Sign ins from unknown sources||✓||✓||✓|
|Sign ins after multiple failures||✓||✓||✓|
|Sign ins from multiple geographies||✓||✓||✓|
|Sign ins from IP addresses with suspicious activity||✓|
|Sign ins from possibly infected devices||✓|
|Irregular sign in activity||✓|
|Users with anomalous sign in activity||✓|
|Users with leaked credentials||✓|
|Password reset activity||✓|
|Password reset registration activity||✓|
|Self service groups activity||✓|
|Account provisioning activity||✓||✓||✓|
|Password rollover status||✓|
|Account provisioning errors||✓||✓||✓|
|RMS usage||RMS Only|
|Most active RMS users||RMS Only|
|RMS device usage||RMS Only|
|RMS enabled application usage||RMS Only|
The anomalous sign in activity reports flag suspicious sign in activity to Office365, Azure Management Portal, Azure AD Access Panel, Sharepoint Online, Dynamics CRM Online, and other Microsoft online services.
All of these reports, except the "Sign ins after multiple failures" report, also flag suspicious federated sign ins to the aforementioned services, regardless of the federation provider.
The following reports are available:
- Sign ins from unknown sources.
- Sign ins after multiple failures.
- Sign ins from multiple geographies.
- Sign ins from IP addresses with suspicious activity.
- Irregular sign in activity.
- Sign ins from possibly infected devices.
- Users with anomalous sign in activity.
- Users with leaked credentials
|Shows a record of all audited events within the last 24 hours, last 7 days, or last 30 days. |
For more information, see Azure Active Directory Audit Report Events
|Directory > Reports tab|
|Shows all password reset attempts that have occurred in your organization.||Directory > Reports tab|
|Shows all password reset registrations that have occurred in your organization||Directory > Reports tab|
|Shows all activity for the self-service managed groups in your directory.||Directory > Users > User > Devices tab|
|Use this report when you want to see usage for all the SaaS applications in your directory. This report is based on the number of times users have clicked on the application in the Access Panel.||Directory > Reports tab|
This report includes sign ins to all applications that your directory has access to, including pre-integrated Microsoft applications.
Pre-integrated Microsoft applications include Office 365, Sharepoint, the Azure Management Portal, and others.
|Use this report when you want to see how much a specific SaaS application is being used. This report is based on the number of times users have clicked on the application in the Access Panel.||Directory > Reports tab|
|This report indicates cumulative sign ins to the application by users in your organization, over a selected time interval. The chart on the dashboard page will help you identify trends for all usage of that application.||Directory > Application > Dashboard tab|
|Use this to monitor errors that occur during the synchronization of accounts from SaaS applications to Azure Active Directory.||Directory > Reports tab|
|Use this report when you want to see the IP address and geographical location of devices that a specific user has used to access Azure Active Directory.||Directory > Users > User > Devices tab|
|Shows the sign in activity for a user. The report includes information like the application signed into, device used, IP address, and location. We do not collect the history for users that sign in with a Microsoft account.||Directory > Users > User > Activity tab|
Only certain types of sign in events will appear in the User Activity report.
|Sign ins to the Access Panel||Yes|
|Sign ins to the Azure Management Portal||Yes|
|Sign ins to the Microsoft Azure Portal||Yes|
|Sign ins to the Office 365 portal||Yes|
|Sign ins to a native application, like Outlook (see exception below)||Yes|
|Sign ins to a federated/provisioned app through the Access Panel, like Salesforce||Yes|
|Sign ins to a password-based app through the Access Panel, like Twitter||Yes|
|Sign ins to a custom business app that has been added to the directory||No (Coming soon)|
|Sign ins to an Azure AD Application Proxy app that has been added to the directory||No (Coming soon)|
Note: To reduce the amount of noise in this report, sign ins by the Microsoft Online Services Sign-In Assistant are not shown.
If you suspect that a user account may be compromised or any kind of suspicious user activity that may lead to a security breach of your directory data in the cloud, you may want to consider one or more of the following actions:
- Contact the user to verify the activity
- Reset the user's password
- Enable multi-factor authentication for additional security
- In the Azure classic portal, click Active Directory, click the name of your organization’s directory, and then click Reports.
On the Reports page, click the report you want to view and/or download.
Click the drop-down menu next to Interval, and then select one of the following time ranges that should be used when generating this report:
- Last 24 hours
- Last 7 days
- Last 30 days
Click the check mark icon to run the report.
- Up to 1000 events will be shown in the Azure classic portal.
If applicable, click Download to download the report to a compressed file in comma-separated values (CSV) format for offline viewing or archiving purposes.
- Up to 75,000 events will be included in the downloaded file.
- For more data, check out the Azure AD Reporting API.
If you are viewing any anomaly reports, you may notice that you can ignore various events that show up in related reports. To ignore an event, simply highlight the event in the report and then click Ignore. The Ignore button will permanently remove the highlighted event from the report and can only be used by licensed global admins.
For more information about Azure AD's reporting notifications, check out Azure Active Directory Reporting Notifications.