Export (0) Print
Expand All

View your access and usage reports

Published: July 8, 2013

Updated: June 12, 2014

Applies To: Azure

You can use access and usage reports to gain visibility into the integrity and security of your organization’s Azure Active Directory (AD) tenant. With this information, a tenant admin can better determine where possible security risks may lie so that they can adequately plan to mitigate those risks.

In the Azure Management Portal, reports are categorized in the following ways:

  • Anomaly Reports - Contain sign in events that we found to be anomalous. Our goal is to make you aware of such activity and enable you to be able to make a determination about whether an event is suspicious.

  • Integrated Application Report – Provides insights into how cloud applications are being used in your organization. AD offers integration with thousands of cloud applications.

  • Error Reports – Indicates errors that may occur when provisioning accounts to external applications.

  • User-specific Reports– Displays device/sign in activity data for a specific user.

noteNote
  • Some advanced anomaly and resource usage reports are only available when you enable Azure Active Directory Premium and Basic. Advanced reports help you improve access security, respond to potential threats and get access to analytics on device access and application usage.

  • Azure AD Premium is not currently supported in China. Please contact us at the Azure Active Directory Forum for more information.

The following reports are used for monitoring tenant-wide user sign ins to Azure AD.

 

Report Description Report Location Available for free Available with Premium

                                                                     Category: Anomaly Reports

Sign ins from unknown sources

This report indicates users who have successfully signed in to your tenant while assigned a client IP address that has been recognized by Microsoft as an anonymous proxy IP address. These proxies are often used by users that want to hide their computer’s IP address, and may be used for malicious intent – sometimes hackers use these proxies.

Results from this report will show the number of times a user successfully signed in to your tenant from that address and the proxy’s IP address.

Found under the Directory > Reports tab


        Checklist


         Checklist

Sign ins after multiple failures

This report indicates users who have successfully signed in after multiple consecutive failed sign in attempts. Possible causes include:

  • User had forgotten their password

  • User is the victim of a successful password guessing brute force attack

Results from this report will show you the number of consecutive failed sign in attempts made prior to the successful sign in and a timestamp associated with the first successful sign in.

Report Settings: You can configure the minimum number of consecutive failed sign in attempts that must occur before it can be displayed in the report. When you make changes to this setting it is important to note that these changes will not be applied to any existing failed sign ins that currently show up in your existing report. However, they will be applied to all future sign ins. Changes to this report can only be made by licensed admins.

Found under the Directory > Reports tab


        Checklist


         Checklist

Sign ins from multiple geographies

This report includes successful sign in activities from a user where two sign ins appeared to originate from different countries and the time between the sign ins makes it impossible for the user to have travelled between those countries. Possible causes include:

  • User is sharing their password

  • User is using a remote desktop to launch a web browser for sign in

  • A hacker has signed in to the account of a user from a different country.

Results from this report will show you the successful sign in events, together with the time between the sign ins, the countries where the sign ins appeared to originate from and the estimated travel time between those countries.

noteNote
The travel time shown is only an estimate and may be different from the actual travel time between the locations. Also, no events are generated for sign ins between neighboring countries.

Found under the Directory > Reports tab


        Checklist


         Checklist

Sign ins from IP addresses with suspicious activity

This report includes sign in attempts that have been executed from IP addresses where suspicious activity has been noted. Suspicious activity includes many failed sign in attempts from the same IP address over a short period of time, and other activity that was deemed suspicious. This may indicate that a hacker has been trying to sign in from this IP address.

Results from this report will show you sign in attempts that were originated from an IP address where suspicious activity was noted, together with the timestamp associated with the sign in.

Found under the Directory > Reports tab


         Checklist

Irregular sign in activity

This report includes sign ins that have been identified as “irregular” by our machine learning algorithms. Reasons for marking a sign in attempt as irregular include unexpected sign in locations, time of day and locations or a combination of these. This may indicate that a hacker has been trying to sign in using this account. The machine learning algorithm classifies events as “irregular” or “suspicious”, where “suspicious” indicates a higher likelihood of a security breach.

Results from this report will show you these sign ins, together with the classification, location and a timestamp associated with each sign in.

noteNote
We will send an email notification to the global admins if we encounter 10 or more irregular sign in events within a span of 30 days or less. Please be sure to include aad-alerts-noreply@mail.windowsazure.com in your safe senders list.

Found under the Directory > Reports tab


         Checklist

Sign ins from possibly infected devices

Use this report when you want to see sign ins from devices on which some malware (malicious software) may be running. We correlate IP addresses of sign ins against IP addresses from which an attempt was made to contact a malware server.

Recommendation: Since this report assumes an IP address was associated with the same device in both cases, we recommend that you contact the user and scan the user's device to be certain.

For more information about how to address malware infections, see the Malware Protection Center.

Found under the Directory > Reports tab


         Checklist

Users with anomalous sign in activity

Use this report when you want to view all user accounts for which anomalous sign in activity has been identified. This report includes data from all other anomalous activity reports. Results from this report will show you details about the user, the reason why the sign in event was identified as anomalous, the date and time, and other relevant information about the event.

Found under the Directory > Reports tab


         Checklist

                                                                     Category: Integrated Application Reports

Application usage: summary

Use this report when you want to see usage for all the SaaS applications in your directory. This report is based on the number of times users have clicked on the application in the Access Panel.

Found under the Directory > Reports tab


         Checklist

Application usage: detailed

Use this report when you want to see how much a specific SaaS application is being used. This report is based on the number of times users have clicked on the application in the Access Panel.

Found under the Directory > Reports tab


         Checklist

Application dashboard

This report indicates cumulative sign ins to the application by users in your organization, over a selected time interval. The chart on the dashboard page will help you identify trends for all usage of that application.

Found under the Directory > Application > Dashboard tab


        Checklist


         Checklist

                                                                     Category: Error Reports

Account provisioning errors

Use this to monitor errors that occur during the synchronization of accounts from SaaS applications to Azure AD.

Found under the Directory > Reports tab


        Checklist


         Checklist

                                                                     Category: User-specific Reports

Devices

Use this report when you want to see the IP address and geographical location of devices that a specific user has used to access Azure AD.

Found under the Directory > User > Devices tab


         Checklist

Activity

Use this report when you want to see the sign in activity for a user. The report includes information like the application signed into, device used, IP address, and location. We do not collect the history for users that sign in with a Microsoft account.

Found under the Directory > User > Activity tab


        Checklist


         Checklist

If you suspect that a user account may be compromised or any kind of suspicious user activity that may lead to a security breach of your directory data in the cloud, you may want to consider one or more of the following actions:

Use the following procedure to view and/or download the most applicable report for your specific needs.

noteNote
The number of results that will be shown after running any of our access and usage reports is currently limited to display, or to download, only the 1000 most recent records. At this time there is no way to retrieve any results past 1000. This article will be updated once a solution for this limitation has been removed.

  1. In the Azure Management Portal, click Active Directory, click on the name of your organization’s directory, and then click Reports.

  2. On the Reports page, click on the report you want to view and/or download.

    noteNote
    If this is the first time you have used the reporting feature of Azure AD, you will see a message to Opt In. If you agree, click the check mark icon to continue.

  3. Click the drop-down menu next to Interval, and then select one of the following time ranges that should be used when generating this report:

    • Last 24 hours

    • Last 7 days

    • Last 30 days

  4. Click the check mark icon to run the report.

  5. If applicable, click Download to download the report to a compressed file in Comma Separated Values (CSV) format for offline viewing or archiving purposes.

If you are viewing any anomaly reports, you may notice that you can ignore various events that show up in related reports. To ignore an event, simply highlight the event in the report and then click Ignore. The Ignore button will permanently remove the highlighted event from the report and can only be used by licensed global admins.

At this time, only the Irregular Sign In Activity report is using the email notification system. You can learn more about the Irregular Sign In Activity report in the table above.

By default, Azure AD is set to automatically send email notifications to all global admins when we encounter 10 or more anomalous sign in events associated with the Irregular Sign In Activity report, within 30 days or less.

Irregular Sign Ins are those that have been identified as “irregular” by our machine learning algorithms, on the basis of unexpected sign in locations, time of day and locations or a combination of these. This may indicate that a hacker has been trying to sign in using this account. More information about this report can be found in the table above.

The email is sent to all global admins who have been assigned an Active Directory Premium license. To ensure it is delivered, we send it to the admins Alternate Email Address as well. Admins should include aad-alerts-noreply@mail.windowsazure.com in their safe senders list so they don’t miss the email.

Once an email is sent, the next one will be sent only when 10 or more new Irregular Sign In events are encountered within 30 days of sending that email. How do I access the report mentioned in the email?

When you click on the link, you will be redirected to the report page within the Azure Management Portal. In order to access the report, you need to be both:

  • An admin or co-admin of your Azure subscription

  • A global administrator in the directory, and assigned an Active Directory Premium license. For more information, see Azure Active Directory Premium and Basic.

Yes, you can turn off notifications related to anomalous sign ins within the Azure Management Portal, by clicking Configure, and then selecting Disabled under the Notifications section.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft