Azure AD (Entra ID) Sign-in Logs
Location
Azure Portal > Entra ID > Monitoring > Sign-in logs (or Microsoft Graph API /auditLogs/signIns)Description
Detailed authentication logs recording every interactive and non-interactive sign-in including result status, MFA details, conditional access policy evaluation, device compliance state, IP address, location, and risk level.
Forensic Value
Sign-in logs are the primary source for detecting compromised identities. Filtering by ResultType reveals specific failure reasons (e.g., 50126 invalid password, 50074 MFA required, 53003 blocked by CA policy). Impossible-travel detection compares sequential sign-in locations. Non-interactive sign-in logs expose token replay attacks where stolen refresh tokens are used from attacker infrastructure without triggering MFA.
Tools Required
Collection Commands
Graph API
GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime ge 2024-01-01T00:00:00Z&$top=999
PowerShell
Get-AzureADAuditSignInLogs -Filter "createdDateTime ge 2024-01-01" -Top 1000 | Export-Csv signin_logs.csv -NoTypeInformation
az CLI
az rest --method GET --url "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=createdDateTime ge 2024-01-01" --output json > signins.json
MITRE ATT&CK Techniques
Used in Procedures
Validate the Initial Access Vector
triage
Credential and Account Lockdown
contain
M365 Unified Audit Log Collection
collect
Azure AD Sign-In and Audit Log Collection
collect
Revoke Cloud Sessions and Tokens
contain
Mass Credential Reset and Session Invalidation
eradicate
Covert Evidence Capture for Insider Threat
preserve
Phishing Artifact Collection: Headers, URLs, Attachments
collect
Phishing Campaign Scope and Credential Exposure
analyze
Related Blockers
M365/Azure Logs Past Retention Period
Unified Audit Log (UAL) entries in Microsoft 365 or Azure AD sign-in logs have expired beyond the default 90-day (E3) or 180-day (E5) retention window. Historical evidence of initial access, mailbox abuse, or OAuth consent grants is no longer available in the tenant.
Unknown Scope of Credential Compromise
One or more accounts are confirmed compromised, but it is unclear how many additional credentials the attacker has obtained. Resetting only known-compromised accounts may be insufficient, while a mass reset disrupts operations.
Attacker Using VPN/Tor -- Cannot Determine True Origin
The threat actor is connecting through VPN services, Tor exit nodes, or residential proxy networks. Source IP addresses rotate frequently and do not reveal the actual origin, limiting geographic attribution and IP-based blocking.
Suspected Insider Still Has Access -- Investigation Must Be Covert
The primary suspect is a current employee or contractor who still has active credentials and system access. Overt containment actions (account lockout, visible monitoring) would tip off the suspect and risk evidence destruction or acceleration of harmful activity.
Legal Requesting Preservation Conflicts with Containment
Legal counsel has issued a preservation hold requiring that certain systems, mailboxes, or data stores remain untouched. This directly conflicts with containment actions like reimaging hosts, resetting accounts, or blocking network segments.
Regulatory Notification Deadline Approaching
A regulatory reporting deadline (GDPR 72-hour, SEC 4-day, state breach notification, HIPAA) is imminent and the investigation has not yet determined the full scope of data exposure. The team must balance thorough investigation against mandatory disclosure timelines.
Shared Cloud Environment Complicates Isolation
The compromised workload runs in a multi-tenant cloud environment (shared subscription, Kubernetes cluster, or PaaS) where isolation actions may impact other tenants or business-critical services sharing the same infrastructure.
SaaS Audit Logging Not Enabled or Not Licensed
The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.
SaaS Audit Retention Expired Before Collection
The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.