Queries for the SigninLogs table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

All SiginLogs events

All Azure signin events.

SigninLogs
| project UserDisplayName, Identity,UserPrincipalName,  AppDisplayName, AppId, ResourceDisplayName

Resources accessed by user

Lists the resources accessed for a specific user.

// Set v_Users_UPN with the UPN of the user of interest
let v_Users_UPN = "[email protected]";
SigninLogs
| where UserPrincipalName == v_Users_UPN
| summarize Count=count()  by ResourceDisplayName, AppDisplayName

User count per Resource

Distinct count if users by resource.

SigninLogs
| project UserDisplayName, Identity,UserPrincipalName,  AppDisplayName, AppId, ResourceDisplayName
| summarize UserCount=dcount(UserPrincipalName) by ResourceDisplayName

User count per Application

Distinct count of users by application.

SigninLogs
| project UserDisplayName, Identity,UserPrincipalName,  AppDisplayName, AppId, ResourceDisplayName
| summarize UserCount=dcount(UserPrincipalName) by AppDisplayName

Failed Signin reasons

The query list the main reasons for sign in failures.

SigninLogs
| where ResultType != 0
| summarize Count=count() by ResultDescription, ResultType
| sort by Count desc nulls last

Failed MFA challenge

Highlights sign in failures caused by failed MFA challenge.

SigninLogs
| where ResultType == 50074
| project UserDisplayName, Identity,UserPrincipalName, ResultDescription,  AppDisplayName, AppId, ResourceDisplayName
| summarize FailureCount=count(), FailedResources=dcount(ResourceDisplayName), ResultDescription=any(ResultDescription) by UserDisplayName

Failed App tried silent signin

Failed silent app signin attempts.

SigninLogs
| where ResultType == 50058
| project UserDisplayName, Identity,UserPrincipalName, ResultDescription,  AppDisplayName, AppId, ResourceDisplayName
| summarize FailureCount=count(), FailedResources=dcount(ResourceDisplayName), ResultDescription=any(ResultDescription) by UserDisplayName

Failed login Count

Resources with most failed log in attempts.

SigninLogs
| where ResultType !=0
| summarize FailedLoginCount=count() by ResourceDisplayName
| sort by FailedLoginCount desc nulls last

Signin Locations

Failed and successful sig ins by source location.

SigninLogs
| summarize Successful=countif(ResultType==0), Failed=countif(ResultType!=0) by Location

Logins To Resource

Lists API sign ins.

SigninLogs
| where ResourceDisplayName == "Windows Azure Service Management API"
| project TimeGenerated, UserDisplayName, Identity,UserPrincipalName,  AppDisplayName, Success=iff(ResultType==0, "Success", "Fail")