How to Check Login Activity in Microsoft 365

Keeping an eye on login activity in Microsoft 365 is crucial for safeguarding your organization's accounts. By examining login data, you can spot any unauthorized access, track user behavior and ensure compliance.

Steps to Check Login Activity in Microsoft 365

1. Using the Microsoft 365 Admin Center:

• Log in: Start by logging into the Microsoft 365 admin center with your admin credentials at admin.microsoft.com
• Navigate: Head over to Azure Active Directory found under Admin centers.
• Access Sign-ins: Click on Sign-ins in the Monitoring section.
• Filter and View:
  • Utilize the Add filters option to refine your search by user, date range, status, location, and more.
  • The results will show details like user, date, time, location, status (successful or failed), device, and client IP address.

2. Using the Microsoft 365 Defender Portal:

• Access the portal: Head over to https://security.microsoft.com and log in to your Microsoft 365 Defender account.
• Navigate to Sign-ins: Look for the Sign-ins section once you're in the portal.
• Investigate: Utilize the filters and search options to dig into user login activity.
• View details: The portal will give you detailed insights into each sign-in event.

3. Using PowerShell:

• Connect to Azure AD: Use the Connect-AzureAD cmdlet to link up with your Azure Active Directory.
• Get Sign-in Logs: Run the Get-AzureADAuditSignInLogs cmdlet to pull up the sign-in logs.
• Filter and Export: You can filter the results by parameters like ObjectId, StartTime, and EndTime and then export the data to a CSV file for deeper analysis.

For a programmatic approach to retrieve login activity, consider using the Microsoft Graph API or PowerShell.

Here’s a sample PowerShell script you can use:

Connect-AzureAD Get-AzureADAuditSignInLogs | Where-Object { $_.ResultType -eq 0 } | Select-Object UserPrincipalName, IPAddress, ClientAppUsed, TimeGenerated

4. Using Third-Party Tools:

And if you’re looking for third-party tools, check these out:

• M365 Manager Plus: This tool has a user-friendly interface that makes it easy to view and analyze user login activity, complete with reports and visualizations.
• Lepide Auditor for Office 365: This solution offers robust auditing and reporting features, including a detailed login history and anomaly detection.

Key Considerations:

• Administrator Privileges: To access and manage login activity in your Microsoft 365 environment, you'll need to have administrator privileges.
• Data Retention: It's important to understand Microsoft 365's data retention policies regarding audit logs.
• Security Best Practices: Make it a habit to regularly review login activity to spot and address potential security threats, like unauthorized access or suspicious login attempts.

Use Cases for Monitoring Login Activity

1. Security Monitoring: Monitor for any suspicious logins that come from unusual IP addresses or locations.
2. Compliance: Track user activities to ensure you're meeting regulatory requirements.
3. Troubleshooting: Figure out why certain logins are failing.

Final Thoughts

Monitoring login activity in Microsoft 365 is essential for ensuring your organization's security and compliance. Whether you prefer the Admin Center, Defender Portal, PowerShell, or third-party tools, consistently reviewing sign-in data allows you to identify unauthorized access, resolve issues, and adhere to regulatory standards. By staying ahead of the game with these tools and practices, you can better safeguard your Microsoft 365 environment and uphold operational integrity.

Related Articles

1. What are Microsoft Entra audit logs?
2. What are Microsoft Entra sign-in logs?
3. Microsoft's Audit Policy Recommendations
4. How to Track Group Policy Changes
5. How to Check Active Directory (AD) Event Logs
6. How to Track File or Folder Changes in Windows