Sign-In, Audit, and Provisioning Log Analysis

Sign-In, Audit, and Provisioning Log Analysis in Microsoft Entra ID (SC-300)

Why Sign-In, Audit, and Provisioning Log Analysis Matters

Understanding and analyzing logs is a foundational skill for any identity administrator. In Microsoft Entra ID (formerly Azure AD), logs serve as your primary source of truth for answering critical questions: Who accessed what? When did a configuration change? Why did a provisioning event fail? Without proper log analysis, organizations operate blindly—unable to detect security threats, troubleshoot access issues, or demonstrate compliance during audits.

For the SC-300 exam, Microsoft expects candidates to not only know where logs exist, but also to understand what each log type captures, how to filter and interpret log data, and when to use each log type for specific scenarios.

What Are Sign-In, Audit, and Provisioning Logs?

Microsoft Entra ID provides three primary log categories, each serving a distinct purpose:

1. Sign-In Logs
Sign-in logs capture every authentication attempt against your Microsoft Entra ID tenant. There are multiple sub-types:

- Interactive sign-ins: A user directly provides credentials (username/password, MFA prompt, passwordless sign-in).
- Non-interactive sign-ins: Sign-ins performed by a client app on behalf of a user without direct user interaction (e.g., token refresh, SSO using a session cookie).
- Service principal sign-ins: Authentication events for apps and service principals using client credentials, certificates, or managed identities.
- Managed identity sign-ins: Authentication events for Azure resources using managed identities to access other resources.

Each sign-in log entry includes details such as:
- User identity (UPN, Object ID)
- Application name and ID
- Resource accessed
- IP address and location
- Device information and compliance state
- Conditional Access policies applied and their result (Success, Failure, Not Applied)
- MFA details (requirement, method used, result)
- Sign-in status (success or failure with error codes)
- Risk level and risk detail (if Identity Protection is enabled)

2. Audit Logs
Audit logs track every configuration change and administrative action within your Microsoft Entra ID tenant. These are critical for governance, compliance, and troubleshooting. Audit logs capture:

- User management: User creation, deletion, password resets, profile updates
- Group management: Group creation, membership changes, dynamic group rule updates
- Application management: App registrations, enterprise app configurations, consent grants
- Role management: Role assignments, PIM activations, administrative unit changes
- Policy changes: Conditional Access policy modifications, authentication method changes, named location updates
- Directory-level changes: Tenant settings, domain management, license assignments

Each audit log entry includes:
- Activity name and category
- Target resource (user, group, app, policy affected)
- Initiated by (the actor—user or service principal that made the change)
- Date and timestamp
- Result (success or failure)
- Modified properties (old value vs. new value)

3. Provisioning Logs
Provisioning logs record the activities performed by the Microsoft Entra ID provisioning service. This includes:

- Inbound provisioning: Syncing users from external HR systems (e.g., Workday, SAP SuccessFactors) into Entra ID
- Outbound provisioning: Provisioning users from Entra ID to third-party SaaS applications (e.g., ServiceNow, Salesforce, Dropbox)
- Cross-tenant provisioning: Syncing users between Entra ID tenants (B2B cross-tenant sync)

Each provisioning log entry includes:
- Identity being provisioned (source and target system identifiers)
- Provisioning action (Create, Update, Delete, Disable, Other)
- Source and target systems
- Status (Success, Failure, Skipped)
- Modified properties with old and new values
- Troubleshooting and recommendations (especially for failures and skipped entries)
- Provisioning step details showing the exact sequence of operations

How Log Analysis Works in Practice

Accessing Logs
Logs can be accessed through multiple channels:
- Microsoft Entra admin center: Navigate to Identity > Monitoring & health > Sign-in logs / Audit logs / Provisioning logs
- Microsoft Graph API: Programmatic access for automation and custom reporting
- Azure Monitor (Log Analytics): For long-term retention, advanced KQL queries, and cross-correlation
- Event Hubs: For streaming to third-party SIEM solutions
- Storage Accounts: For archival purposes

Log Retention
Understanding retention is critical for the exam:
- Free tier: Sign-in and audit logs retained for 7 days
- Microsoft Entra ID P1/P2: Sign-in and audit logs retained for 30 days
- Routing to Log Analytics, Storage Account, or Event Hub: Allows custom retention beyond default periods (up to 2 years in Log Analytics, or indefinitely in a Storage Account)
- Provisioning logs: Retained for 30 days regardless of license tier

Filtering and Querying
In the Entra admin center, you can filter logs by:
- Date range
- User, application, or resource
- Status (success, failure, interrupted)
- Conditional Access result
- IP address or location
- Risk level

For advanced analysis, route logs to a Log Analytics workspace and use Kusto Query Language (KQL). Example scenarios:
- Identify all failed sign-ins from a specific country in the past 24 hours
- Find all Conditional Access policy changes made by a specific administrator
- Correlate provisioning failures with specific attribute mapping issues

Diagnostic Settings
To route logs outside of Entra ID, you must configure Diagnostic settings in the Microsoft Entra admin center (or Azure portal). You select which log categories to export and the destination (Log Analytics workspace, Storage Account, Event Hub, or partner solution). This requires at least the Security Administrator or Reports Reader role to view logs, and a Global Administrator or Security Administrator to configure diagnostic settings.

Common Scenarios and How to Analyze Them

Scenario 1: User Cannot Sign In
Check the sign-in logs. Filter by the user's UPN and look at the most recent entries. Examine:
- The error code and failure reason (e.g., 50053 = account locked, 50126 = invalid credentials, 53003 = blocked by Conditional Access)
- Conditional Access details to see which policies were applied and which caused a block
- MFA details if multi-factor authentication was required but not completed

Scenario 2: Investigating a Policy Change
Check the audit logs. Filter by category (e.g., "Policy") and search for the specific Conditional Access policy name. Review:
- Who initiated the change (Initiated by actor)
- What was changed (Modified properties showing old and new values)
- When the change occurred

Scenario 3: User Not Provisioned to SaaS App
Check the provisioning logs. Filter by the user's identity and the target application. Review:
- Whether the action was Skipped (user may not match scoping filter)
- Whether the action Failed (attribute mapping error, API error from target system)
- The provisioning steps to identify exactly where the process broke down
- The troubleshooting recommendations provided in the log entry

Scenario 4: Compliance Audit
For demonstrating who has accessed sensitive applications, use sign-in logs filtered by the application name. For demonstrating who made administrative changes, use audit logs filtered by activity type. Route both to a Storage Account for long-term archival that meets regulatory requirements.

Integration with Other Microsoft Entra Features

- Identity Protection: Risk events feed into sign-in logs, showing risky sign-ins and risk levels
- Conditional Access: Every sign-in log entry shows which CA policies were evaluated, applied, or failed
- Access Reviews: Results appear in audit logs
- PIM (Privileged Identity Management): Role activation and deactivation events appear in audit logs
- Entitlement Management: Access package assignment and approval events appear in audit logs

Workbooks and Reports
Microsoft provides built-in Workbooks (Azure Monitor Workbooks) for common log analysis scenarios:
- Sign-in failure analysis workbook
- Conditional Access insights and reporting workbook
- Provisioning analysis workbook
These require logs to be routed to a Log Analytics workspace.

---

Exam Tips: Answering Questions on Sign-In, Audit, and Provisioning Log Analysis

1. Know Which Log to Use for Each Scenario
This is the most common question pattern. If the question asks about:
- Authentication failures, MFA issues, Conditional Access blocks → Sign-in logs
- Configuration changes, who modified a policy, role assignments → Audit logs
- Users not appearing in a SaaS app, sync failures from HR systems → Provisioning logs

2. Memorize Retention Periods
Expect questions about how long logs are available. Remember: Free = 7 days, P1/P2 = 30 days, and routing to Log Analytics or Storage extends retention. Provisioning logs = 30 days.

3. Understand Diagnostic Settings
Questions may ask how to send logs to a SIEM or archive them. The answer involves configuring Diagnostic settings and selecting the appropriate destination (Event Hub for SIEM streaming, Storage Account for archival, Log Analytics for advanced queries).

4. Know the Sign-In Log Sub-Types
If a question mentions a daemon application or background service authenticating, the answer is service principal sign-ins, not interactive sign-ins. If a question mentions token refresh without user interaction, it is non-interactive sign-ins.

5. Conditional Access Details in Sign-In Logs
Remember that each sign-in log entry shows the Conditional Access evaluation result. If a question asks how to determine why a user was blocked, look at the Conditional Access tab within the sign-in log entry, which shows each policy and whether it resulted in Success, Failure, or Not Applied.

6. Audit Log Actor Identification
Questions about accountability ("who made the change?") always point to audit logs. The Initiated by (actor) field shows the user or service principal responsible.

7. Provisioning Log Troubleshooting
If a provisioning question mentions a user was "skipped," think about scoping filters. If it mentions a failure, think about attribute mappings or target system errors. Provisioning logs include built-in troubleshooting guidance.

8. Required Roles
Know the minimum roles needed:
- Reports Reader: Can view sign-in and audit logs
- Security Reader: Can view sign-in and audit logs
- Global Reader: Can view sign-in and audit logs
- Security Administrator: Can view logs and configure diagnostic settings
- Global Administrator: Full access to all log and configuration capabilities

9. Graph API and KQL
Questions about programmatic or advanced log analysis often point to Microsoft Graph API (for direct querying) or KQL in Log Analytics (for complex, cross-log analysis). If the scenario requires correlating data across log types, the answer is usually Log Analytics with KQL.

10. Watch for Distractor Answers
Common distractors include:
- Using Azure Activity Log (this is for Azure resource management, not Entra ID identity events)
- Using Microsoft 365 compliance audit log (different from Entra ID audit logs, though some events overlap)
- Confusing sign-in logs with audit logs—remember: sign-in = authentication events, audit = configuration/administrative changes

11. Provisioning vs. Azure AD Connect Sync
Do not confuse provisioning logs (cloud-based provisioning service for SaaS apps and HR inbound) with Azure AD Connect sync logs (on-premises directory synchronization). Azure AD Connect has its own synchronization monitoring through Entra Connect Health.

12. Scenario-Based Question Strategy
When facing a scenario question, follow this process:
1. Identify the type of event (authentication, configuration change, or user provisioning)
2. Select the correct log type
3. Determine the correct access method (portal, Graph API, Log Analytics) based on requirements
4. Consider retention and export requirements if the question involves compliance or long-term storage

By mastering these three log types and understanding their distinct purposes, you will be well-prepared to answer SC-300 exam questions on identity governance monitoring and troubleshooting with confidence.