How to Check Login Activity in Microsoft 365

Monitoring login activity in Microsoft 365 is essential for ensuring the security of your organization's accounts. By reviewing login data, you can identify unauthorized access, monitor user activity, and maintain compliance.

Steps to Check Login Activity in Microsoft 365

1. Using the Microsoft 365 Admin Center:

• Log in: Access the Microsoft 365 admin center using your administrator credentials at admin.microsoft.com
• Navigate: Go to Azure Active Directory under Admin centers.
• Access Sign-ins: Select Sign-ins under the Monitoring section.
• Filter and View:
  • Use the Add filters option to narrow down your search by user, date range, status, location, and more.
  • The results will display information such as user, date, time, location, status (successful or failed), device, and client IP address.

2. Using the Microsoft 365 Defender Portal:

• Access the portal: Log in to the Microsoft365 Defender portal at https://security.microsoft.com
• Navigate to Sign-ins: Find the Sign-ins section within the portal.
• Investigate: Use the filters and search options to investigate user login activity.
• View details: The portal provides detailed information about each sign-in event.

3. Using PowerShell:

• Connect to Azure AD: Use the Connect-AzureAD cmdlet to establish a connection to your Azure Active Directory.
• Get Sign-in Logs: Use the Get-AzureADAuditSignInLogs cmdlet to retrieve sign-in logs.
• Filter and Export: Filter the results using parameters like ObjectId, StartTime, EndTime, and export the data to a CSV file for further analysis.

To programmatically retrieve login activity, use the Microsoft Graph API or PowerShell.

Example PowerShell Script:

Connect-AzureAD
Get-AzureADAuditSignInLogs | Where-Object { $_.ResultType -eq 0 } | Select-Object UserPrincipalName,IPAddress,ClientAppUsed,TimeGenerated

4. Using Third-Party Tools:

• M365 Manager Plus: This tool offers a user-friendly interface to view and analyze user login activity, including reports and visualizations.
• Lepide Auditor for Office 365: This solution provides comprehensive auditing and reporting capabilities, including detailed login history and anomaly detection.

Key Considerations:

• Administrator Privileges: You'll need administrator privileges within your Microsoft 365 environment to access and manage login activity.
• Data Retention: Be aware of Microsoft 365's data retention policies for audit logs.
• Security Best Practices: Regularly review login activity to identify and mitigate potential security threats, such as unauthorized access or suspicious login attempts.

Use Cases for Monitoring Login Activity

1. Security Monitoring: Detect suspicious logins from unusual IP addresses or geolocations.
2. Compliance: Ensure regulatory compliance by tracking user activities.
3. Troubleshooting: Identify reasons for failed logins.

Related Articles

1. What are Microsoft Entra audit logs?
2. What are Microsoft Entra sign-in logs?
3. Microsoft's Audit Policy Recommendations
4. How to Track Group Policy Changes
5. How to Check Active Directory (AD) Event Logs
6. How to Track File or Folder Changes in Windows