Azure Active Directory reporting latencies

Latency is the amount of time it takes for Azure Active Directory (Azure AD) reporting data to show up in the Azure portal. This article lists the expected latency for the different types of reports.

Activity reports

There are two types of activity reports:

  • Sign-ins – Provides information about the usage of managed applications and user sign-in activities
  • Audit logs - Provides system activity information about users and groups, managed applications and directory activities

The following table lists the latency information for activity reports.

Note

Latency (95th percentile) refers to the time by which 95% of the logs will be reported, and Latency (99th percentile) refers to the time by which 99% of the logs will be reported.

Report Latency (95th percentile) Latency (99th percentile)
Audit logs 2 mins 5 mins
Sign-ins 2 mins 5 mins

How soon can I see activities data after getting a premium license?

If you already have activities data with your free license, then you can see it immediately on upgrade. If you don’t have any data, then it will take one or two days for the data to show up in the reports after you upgrade to a premium license.

Security reports

There are two types of security reports:

  • Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
  • Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

The following table lists the latency information for security reports.

Report Minimum Average Maximum
Users at risk 5 minutes 15 minutes 2 hours
Risky sign-ins 5 minutes 15 minutes 2 hours

Risk detections

Azure AD uses adaptive machine learning algorithms and heuristics to detect suspicious actions that are related to your user accounts. Each detected suspicious action is stored in a record called a risk detection.

The following table lists the latency information for risk detections.

Report Minimum Average Maximum
Sign-ins from anonymous IP addresses 5 minutes 15 Minutes 2 hours
Sign-ins from unfamiliar locations 5 minutes 15 Minutes 2 hours
Users with leaked credentials 2 hours 4 hours 8 hours
Impossible travel to atypical locations 5 minutes 1 hour 8 hours
Sign-ins from infected devices 2 hours 4 hours 8 hours
Sign-ins from IP addresses with suspicious activity 2 hours 4 hours 8 hours

Next steps