Microsoft Entra ID is Microsoft's cloud-based identity and access management service. It handles authentication and authorization for Microsoft 365, Azure, and thousands of third-party SaaS applications. It manages user identities, enforces access policies through Conditional Access, supports multi-factor authentication, and provides single sign-on across connected applications.
- What is Entra ID monitoring
- Key logs
- Security risks
- Native limitations
- Monitoring
- FAQ
What is Entra ID monitoring
Entra ID monitoring means continuously tracking sign-in activity, directory changes, and security signals across your Microsoft Entra ID tenant. The goal is to detect threats, enforce policies, and satisfy compliance requirements.
Microsoft Entra ID (previously Azure Active Directory, or Azure AD) is the authentication gateway for Microsoft 365 and thousands of SaaS applications. Every user sign-in, every role assignment, every application consent grant flows through it.
That makes your Entra ID tenant one of the highest-value targets in your environment. If someone compromises it, they potentially have the keys to everything. Monitoring is how you catch credential attacks, unauthorized directory changes, and policy violations before they escalate.
The scope covers sign-in events, directory object changes, role and group modifications, application consent, device management, and Conditional Access enforcement.
Key Entra ID logs to monitor
Microsoft Entra ID surfaces monitoring data through three primary log categories. Each one captures a different dimension of identity activity, and together they form the foundation of your monitoring strategy.
| Log type | What it records | Key fields | Retention (native) |
|---|---|---|---|
| Sign-in logs | Every authentication attempt (success and failure), including interactive, non-interactive, service principal, and managed identity sign-ins | User, application, IP address, geo-location, device info, MFA status, MFA method, Conditional Access result, error code, failure reason | 7 days (free) / 30 days (P1/P2) |
| Audit logs | All directory changes: user, group, role, device, and application create, update, and delete events; Conditional Access policy changes; consent grants | Actor (who), target (what changed), activity type, timestamp, result | 7 days (free) / 30 days (P1/P2) |
| Provisioning logs | Automated user provisioning and deprovisioning actions between Microsoft Entra ID and connected SaaS applications or on-premises directories | Source system, target system, user, action, status, error details | 30 days |
Here's how the three types work together in practice. Sign-in logs catch authentication-layer threats like brute-force attacks and impossible-travel anomalies. Audit logs catch directory change threats like unauthorized role assignments and rogue application consent grants. Provisioning logs catch identity lifecycle issues like failed deprovisioning that leaves orphaned accounts in downstream applications. Identity Protection risk detections (impossible travel, anonymous IP, leaked credentials, password spray) surface through sign-in logs as risk flags attached to individual sign-in events. You don't need a separate log source for these; they appear as additional fields on the sign-in record itself.
What to monitor in Microsoft Entra ID
Knowing which logs exist is only the first step. The harder question is which specific events and signals you should actually be watching. The table below covers the monitoring areas that matter most for security, compliance, and operational visibility.
| Monitoring area | What to track |
|---|---|
| Sign-in activity | Successful and failed sign-ins, sign-in frequency by user and application, geographic anomalies (impossible travel), sign-ins from anonymized or malicious IP addresses |
| MFA enforcement | MFA success and failure rates, MFA method usage, sign-ins where MFA is not enforced, MFA fatigue patterns (repeated push notifications followed by approval) |
| Conditional Access | Policy creation, modification, and deletion; sign-ins blocked by Conditional Access; sign-ins that bypassed expected policies; device compliance failures |
| Privileged role changes | Role assignments and removals (especially Global Administrator and Privileged Role Administrator); first-time role usage; role assignment by non-privileged accounts |
| User lifecycle | User creation, deletion, disabling, password resets, password changes; bulk user operations; guest user invitation and redemption |
| Group membership | Additions and removals from security groups (especially groups that control access to sensitive resources); ownership changes; dynamic group rule modifications |
| Application and OAuth consent | New application registrations; OAuth 2.0 permission grants; admin and user consent events; application secret and certificate changes |
| Legacy authentication | Sign-ins using older protocols (SMTP, IMAP, POP3) that bypass MFA; these remain a primary attack vector in most tenants |
| Inactive and stale accounts | Accounts with no sign-in activity over an extended period; these are high-risk targets for credential stuffing because nobody notices when they're compromised |
| Device management | Device enrollment, compliance status changes, device configuration policy modifications (especially via Microsoft Intune) |
Monitoring all of these areas manually through the Microsoft Entra admin center is technically possible. For a small tenant with a handful of admins, it might even be manageable.
But at any real scale, the volume of events makes manual review unsustainable. That's why most organizations export logs to a centralized auditing or SIEM platform.
How Entra ID monitoring works
Microsoft Entra ID generates events at the identity provider layer. Every time a user authenticates, a directory object changes, or a provisioning action runs, an event is written to the corresponding log. Unlike on-premises Active Directory, where log data is scattered across individual domain controllers, Entra ID logs are centralized in the cloud service itself.
You can access these logs through four native channels:
Microsoft Entra admin center. Sign-in logs and audit logs are accessible under Monitoring & health. You can filter by user, application, date range, status, and Conditional Access policy. This is the simplest access method, but it's manual and doesn't support alerting or scheduled delivery.
Microsoft Graph API. Programmatic access to sign-in and audit logs for custom integrations and automated workflows. Useful if you're building your own monitoring pipeline, but it requires development effort and API throttling management.
Azure Monitor integration. Logs can be routed to a Log Analytics workspace for longer retention and KQL-based querying. This is where most organizations land when they outgrow the admin center, but it adds cost (Log Analytics ingestion pricing) and configuration complexity (diagnostic settings, alert rules, action groups).
Event Hubs and storage accounts. For streaming to external SIEM platforms or long-term archival. Required when your security operations center runs on a third-party SIEM like Splunk or IBM QRadar.
On-premises AD monitoring versus Entra ID monitoring
Hybrid organizations run both on-premises Active Directory and Microsoft Entra ID. The monitoring approach for each environment is fundamentally different, and the gap between them is where most blind spots live.
| Aspect | On-premises AD | Microsoft Entra ID |
|---|---|---|
| Log source | Windows Security Event Log on each domain controller | Centralized Entra ID service (cloud-hosted) |
| Authentication protocol | Kerberos and NTLM | OAuth 2.0, SAML, OpenID Connect |
| Log access method | Event Viewer, PowerShell, or third-party tool | Entra admin center, Graph API, Azure Monitor |
| Default retention | Limited by Security log size (typically overwritten) | 7 days (free) / 30 days (P1/P2) |
| MFA visibility | Not native (requires ADFS or a third-party solution) | Built-in: MFA status, method, and result per sign-in |
| Conditional Access | Not available | Native policy engine with per-sign-in enforcement result |
| Real-time alerting | Not built in (requires Task Scheduler workarounds or third-party tools) | Limited: requires Log Analytics workspace and Azure Monitor alert rules |
| Hybrid correlation | Manual (requires log aggregation from domain controllers and Entra ID separately) | Not built in natively across both environments |
That last row is the one worth paying attention to. A compromised account doesn't stay in one environment.
An attacker who steals credentials through an Entra ID phishing attack can pivot to on-premises resources. An attacker who compromises an on-premises domain controller can escalate to cloud resources through Azure AD Connect synchronization. Monitoring both environments in isolation leaves a gap that attackers routinely exploit.
Security risks and attacks targeting Entra ID
Entra ID monitoring exists because specific, well-documented attack techniques target cloud identity infrastructure. Here's what you're actually defending against.
Password spray attacks. An attacker tries a small number of commonly used passwords against many accounts at once, staying below the lockout threshold for any individual account. In sign-in logs, this looks like distributed failed sign-in attempts across multiple accounts from a small number of IP addresses. Microsoft Entra ID Identity Protection flags these as risk detections, but only if Identity Protection is enabled and configured.
According to Microsoft's Digital Defense Report 2024, password spray attacks account for more than 99% of all password-based identity attacks on Microsoft Entra ID tenants.
Brute-force attacks. Unlike password spray, brute-force targets a single account with repeated authentication attempts. You'll see a spike in failed sign-in events for one user, typically from a single or small cluster of IP addresses. The distinction matters because brute-force triggers account lockout, while password spray is designed to avoid it.
MFA fatigue (prompt bombing). An attacker who already has valid credentials sends repeated MFA push notifications until the user approves one out of frustration or confusion. In log data, this shows up as multiple MFA challenge events in rapid succession followed by a successful sign-in. Microsoft has responded by making number matching a default for Authenticator push notifications, but legacy MFA configurations without number matching are still vulnerable.
Adversary-in-the-middle (AiTM) phishing. The attacker proxies the user's entire authentication session through a phishing site, capturing both the password and the session token in real time. This bypasses MFA entirely because the attacker relays the genuine MFA challenge to the real user. You can spot it through sign-in logs showing unfamiliar IP addresses or proxy infrastructure paired with successful MFA completion from a geo-location inconsistent with the user's baseline.
The Microsoft Threat Intelligence team documented a large-scale AiTM campaign in 2023 that targeted over 10,000 organizations.
Illicit consent grant (OAuth consent abuse). An attacker tricks a user or admin into granting excessive OAuth permissions to a malicious application, giving the attacker persistent access to mailbox data, files, or directory information without needing credentials at all. Audit logs record consent grant events. The fields to watch are the application name, the permissions granted, and whether admin consent (which applies tenant-wide) was used.
Privilege escalation via role assignment. An attacker with a compromised account assigns themselves a higher-privileged directory role. Audit logs record role membership changes. Only Global Administrator and Privileged Role Administrator can assign directory roles in Microsoft Entra ID.
If your audit logs show a role assignment performed by any other role, that's either a misconfiguration or a sign of compromise.
Legacy authentication exploitation. Attackers target legacy protocols (SMTP, IMAP, POP3) specifically because these protocols don't support MFA. A stolen password is all that's needed to authenticate. Filter sign-in logs by the "Legacy Authentication" client app type to find these attempts.
Blocking legacy authentication through Conditional Access is the primary defense, but monitoring for attempts tells you whether credentials are already in attacker hands.
Impossible travel. Sign-in events from two geographically distant locations within a timeframe that makes physical travel impossible. Microsoft Entra ID Identity Protection flags this automatically. Some impossible-travel alerts are false positives caused by VPN usage, but a pattern of them for a single user warrants investigation.
ADAudit Plus detects password spray attacks, brute-force attempts, and privilege escalation events across both on-premises AD and Microsoft Entra ID through its Attack Surface Analyzer, which correlates identity signals from both environments in a single console.
Native Entra ID monitoring limitations
Microsoft Entra ID provides log data and basic Identity Protection risk signals, but the native toolset has specific limitations that create real problems at scale.
Log retention caps. Sign-in and audit logs are retained for a maximum of 30 days on P1 and P2 licensed tenants, and only seven days on free-tier tenants. If you're subject to compliance standards that require years of retention (HIPAA requires six years, SOX requires seven years, PCI-DSS requires one year), native retention falls well short. Extending retention requires routing logs to a Log Analytics workspace or Azure Storage account, which adds cost and configuration overhead.
No real-time alerting out of the box. The Microsoft Entra admin center displays logs, but it doesn't notify you when something critical happens. If a Global Administrator role is assigned at two a.m., nobody finds out unless you've already configured Azure Monitor alert rules on a Log Analytics workspace. Setting that up requires creating a diagnostic settings export, provisioning a Log Analytics workspace, writing KQL alert queries, and configuring action groups for email or SMS delivery.
That's a lot of infrastructure for what should be a basic capability.
No scheduled report delivery. Native tools don't offer a way to automatically generate and email audit reports on a recurring schedule. Compliance teams and managers who need periodic reports on role changes, user creation, or sign-in anomalies have to log in and pull them manually every time.
No cross-environment correlation. Entra ID logs cover cloud authentication. On-premises AD logs cover domain controller events. There's no native way to see a user's Entra ID sign-in activity alongside their on-premises AD logon events, group membership changes, or GPO modifications in a single view.
For hybrid organizations, that means two separate consoles, two separate log formats, and manual effort to connect a cloud sign-in anomaly with an on-premises lateral movement pattern.
Limited risk context. Identity Protection flags risky sign-ins, but it doesn't give you a full forensic timeline showing what the user did before and after the risky event across both cloud and on-premises environments. Investigating an alert still requires manual pivoting between sign-in logs, audit logs, and on-premises event logs.
No behavioral baselines for directory changes. Entra ID can flag risky sign-ins through Identity Protection, but it doesn't apply behavioral baselines to directory change activity. If an admin account suddenly makes 50 group membership changes at three a.m. after months of making two or three per week during business hours, native monitoring won't flag that as unusual. You'd only catch it by accident.
Monitoring Entra ID with ADAudit Plus
What ADAudit Plus monitors in Microsoft Entra ID
Sign-in monitoring. ADAudit Plus tracks all Entra ID sign-in events (successful, failed, and risky) with geo-location, device info, MFA status, MFA method, and Conditional Access result. Pre-built reports include Logon Activity, Logon Failures, Logon Failure due to bad password, Logon Activity by Legacy Authentication, Account Locked Out Users, Risky Logon Activity, Impossible travel to atypical locations, Login by PasswordSpray Account, and Login with leaked credentials.
User and group change auditing. ADAudit Plus captures user creation, deletion, modification, password changes, password resets, account enable and disable events, group membership additions and removals, group ownership changes, and role assignments and removals through dedicated Cloud Directory reports.
Application and OAuth monitoring. ADAudit Plus tracks new application registrations, OAuth 2.0 permission grants and removals, user and admin consent events, and consent revocations through reports under Cloud Directory > Application Management, including Recently Added OAuth2.0 Permission and Recently Consent to Application.
Conditional Access policy auditing. ADAudit Plus records Conditional Access policy creation, modification, and deletion through dedicated reports under Cloud Directory > Conditional Policy Changes.
MFA monitoring. Dedicated reports cover MFA-enabled and MFA-disabled sign-ins, MFA failure events, MFA method usage, and MFA usage summaries under Cloud Directory > Logon Activity By MFA.
Device and Intune auditing. ADAudit Plus tracks device enrollment, compliance policy changes, configuration policy changes, and Intune device actions through Cloud Directory > Device Management and Cloud Directory > Intune Reports.
Risk detection. ADAudit Plus surfaces Microsoft Entra ID Identity Protection risk detections (anonymous IP, malicious IP, password spray, impossible travel, leaked credentials) in pre-built reports under Cloud Directory > Risk Detection.
Hybrid correlation. ADAudit Plus correlates on-premises AD logon events (Event ID 4624, Event ID 4625, Event ID 4768, Event ID 4771) with Entra ID sign-in events for hybrid users, displaying both in a unified view. This closes the cross-environment gap that native monitoring can't address.
Real-time alerts. You can configure alert profiles for critical Entra ID events (privileged role changes, Conditional Access policy modifications, risky sign-ins) with email and SMS delivery. Alerts can trigger automated responses, including ticket creation in ServiceNow, Jira, or ManageEngine Service Desk Plus.
Compliance reports. Pre-configured report sets mapped to SOX, HIPAA, PCI-DSS, FISMA, GLBA, GDPR, and ISO 27001. Reports can be scheduled for automatic delivery on an hourly, daily, weekly, or monthly basis to compliance officers and auditors.
User behavior analytics. Machine learning baselines applied per user to detect anomalies in sign-in patterns, directory change activity, and file access. UBA reports surface unusual logon times, unusual failure volumes, first-time host access, and unusual volumes of user management activity.
Native Entra ID monitoring versus ADAudit Plus
| Capability | Native Entra ID monitoring | ADAudit Plus |
|---|---|---|
| Sign-in log retention | 7 to 30 days depending on license tier | Unlimited (data archiving with configurable retention) |
| Audit log retention | 7 to 30 days depending on license tier | Unlimited (data archiving with configurable retention) |
| Real-time alerts for critical events | Requires Azure Monitor and Log Analytics workspace setup | Built-in alert profiles with email and SMS delivery |
| Scheduled report delivery | Not available natively | Automated report scheduling (hourly, daily, weekly, monthly) with email delivery |
| Hybrid AD and Entra ID correlation | Not available natively | Unified view of on-premises AD and Entra ID events in a single console |
| User behavior analytics | Limited to Identity Protection risk signals | ML-based per-user behavioral baselines across logon, change, and file activity |
| Named attack detection | Identity Protection risk detections (password spray, anonymous IP, impossible travel, leaked credentials) | Attack Surface Analyzer with 25+ named AD attack detections and cloud risky configuration scanning |
| Compliance-mapped reports | Not available natively | Pre-configured report sets for SOX, HIPAA, PCI-DSS, FISMA, GLBA, GDPR, ISO 27001 |
| Legacy authentication visibility | Available in sign-in logs with manual filtering | Dedicated Logon Activity by Legacy Authentication report |
| Application consent monitoring | Available in audit logs | Dedicated reports for OAuth 2.0 permission grants, consent events, and revocations |
| Response automation | Requires integration with Azure Logic Apps or Microsoft Sentinel | Built-in automated response (alert triggers ticket creation and team notification) |
Getting started
Go to Cloud Directory > User Logon Reports > Logon Activity to view all Entra ID sign-in events.
Go to Cloud Directory > Risk Detection > Risky Logon Activity to review identity risk signals.
Go to Cloud Directory > User Management > Recently Created Users to audit new account creation.
Go to Cloud Directory > Role Management > Recently Added Member to Role to track privileged role assignments.
Go to Cloud Directory > Application Management > Recently Consent to Application to monitor OAuth consent grants.
FAQ
Entra ID Identity Protection detects two categories of risk. User risk measures the likelihood that an account has been compromised, based on signals like leaked credentials found in known breach databases. Sign-in risk measures the likelihood that a specific sign-in wasn't performed by the account owner, based on signals like impossible travel, anonymous IP usage, malicious IP addresses, and password spray patterns.
Microsoft renamed Azure Active Directory to Microsoft Entra ID in July 2023. The product capabilities are the same. All references to "Azure AD" in the Microsoft admin center, APIs, and documentation have been updated to "Microsoft Entra ID." Some legacy API endpoints and PowerShell module names still use the older naming convention.
Microsoft Entra ID includes built-in security features: multi-factor authentication, Conditional Access policies, Identity Protection risk detections, and Privileged Identity Management for just-in-time access to privileged roles. But these features require proper configuration and ongoing monitoring to be effective. An Entra ID tenant with MFA disabled, no Conditional Access policies, and no log monitoring is significantly more vulnerable than one where all three are actively managed and reviewed.
A one-stop solution for all your IT auditing, compliance, and security needs
Try ADAudit Plus free for 30 days. No credit card required.
Experience
ADAudit Plus for free
With ADAudit Plus, you can:
- Get full visibility into logons
- Monitor employee attendance
- Detect attacks like Kerberoasting
- Generate logon audit trails
- And much more
