Use Endpoint Manager to monitor user login duration

Green, Tim (Corporate) 1 Reputation point
2022-02-25T12:39:35.887+00:00

We are having issue where new account creations on Windows 10 devices can take up to 15mins. I would like to be able to use Endpoint Manager to examine the login duration and what specifically is causing the delay. Are there any current reports or analytics that will provide this information.
If this is not available in Endpoint Manger can you please advise where I can obtain the relevant information such as event viewer or audit logs.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,797 questions
Azure Analysis Services
Azure Analysis Services
An Azure service that provides an enterprise-grade analytics engine.
437 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,447 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrew Blumhardt 9,491 Reputation points Microsoft Employee
    2022-02-25T14:39:08.517+00:00

    Here is a sample KQL query based on Security events in Sentinel with a similar goal. You may be able to create a similar Advanced Query in MDE if you can find a logon and logoff indicator in the logs.

    let login = SecurityEvent
    | where TimeGenerated > ago(1h)
    | where EventID == '4624'
    | project TargetLogonId, loginTime = TimeGenerated;
    let logout = SecurityEvent
    | where TimeGenerated > ago(1h)
    | where EventID == '4634'
    | project TargetLogonId, logoutTime = TimeGenerated;
    login
    | join kind=leftouter logout on TargetLogonId
    | project loginTime, logoutTime

    0 comments