![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
973 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 0%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
Thanks for reaching out. You would need to add the Azure active directory connector in Azure Sentinel workspace. We collect the sign in Info in AAD logs.
Once the logs are ingested which can take some time, there are inbuilt queries which you can modify to get just the office 365 portal logs.
That is denoted as Microsoft Office 365 Portal in Sign in reports.
So you can run a basic query which as basic as
SigninLogs
| where AppDisplayName == "Microsoft Office 365 Portal"
| take 100
Which will take the result from sign in logs table and show top 100 results. The query can be modified to any specific UPN, location or device as per need.
You can check few of the templates in AAD connector which has lots of sample queries inbuilt.