![]() At this time, the service principal sign-in logs do not flow into the Unified Audit Log within Office 365, aren’t consumed by MCAS and cannot be accessed via the Graph API, making the Azure AD blade and Log analytics your only choices. You can also Export the data to a Log analytics workspace, which is Microsoft’s preferred method of working with the sign-in logs. For the former, the file name will resemble something like “ApplicationSignIns_”. If needed, you can Download the data in CSV or JSON format. Unfortunately, Conditional Access policies still do not apply to logins performed via the client credentials flow, making it that more important to be able to report on any and all activities performed via a given application. Comparing the details with a “regular” sign-in, you will note a lot of missing data, most notably the Conditional access details. ![]() Under the Details pane, you will see info as to the date the activity was performed, status, application, resource and service principal details, IP address and resolved geo-location. The entries themselves are represented in aggregated view, and you have to expand a given group in order to get additional details on a particular sign-in. ![]() Other settings include the option to toggle between local and UTC timestamps, control how entries are being aggregated (you can choose between 1 hour, 6 hours, 1 day) and add optional filters, such as the Service principal ID or name, IP address, Resource, and more. Note the banner on top, it indicates that I’m using the new Preview experience, which you must switch to in order to get the SPN sign-in logs.īy default entries from past 24h will be displayed, but you can adjust the window to up to 30 days by using the Date selection dropdown. To access the service principal login entries, you can use the Sign-ins tab in the Azure AD blade, then hit the Service principal sign-ins tab. Well, Microsoft has finally delivered on this front, so rejoice! For years they had a major flaw though – no records were being generated for any login made by using the client credentials grant flow. The Azure AD sign-in logs are an indispensable tool for troubleshooting and investigating security-related incidents.
0 Comments
Leave a Reply. |