AADNonInteractiveUserSignInLogs
Non-interactive Azure Active Directory sign-in logs from user.
Categories
- Audit
- Security
Solutions
- LogManagement
Resource types
- Azure Active Directory Logs
Columns
| Column | Type | Description |
|---|---|---|
| AlternateSignInName | string | Provides the on-premises UPN of the user sign-ing into Azure AD.e.g. Phone number sign-in |
| AppDisplayName | string | App name displayed in the Azure portal |
| AppId | string | Unique GUID representing the app ID in the Azure Active Directory |
| AuthenticationDetails | string | A record of each step of authentication undertaken in the sign-in |
| AuthenticationMethodsUsed | string | List of authentication methods used |
| AuthenticationProcessingDetails | string | Provides the details associated with authentication processor |
| AuthenticationRequirement | string | Type of authentication required for the sign-in. If set to multiFactorAuthentication, an MFA step was required. If set to singleFactorAuthentication, no MFA was required |
| AuthenticationRequirementPolicies | string | Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user |
| Category | string | Category of the sign-in event |
| ClientAppUsed | string | Details outlining app auth used (Legacy vs non Legacy) Eg: Modern Browser, Native App, Exchange Activty Sync and Older Clients |
| ConditionalAccessPolicies | string | Details of the conditional access policies being applied for the sign-in |
| ConditionalAccessStatus | string | Status of all the conditionalAccess policies related to the sign-in |
| CorrelationId | string | ID to provide sign-in trail |
| CreatedDateTime | datetime | Datetime of the sign-in activity |
| DeviceDetail | string | Details of the device used for the sign-in |
| DurationMs | long | The duration of the operation in milliseconds |
| Id | string | Unique ID representing the sign-in activity |
| Identity | string | The identity from the token that was presented when you made the request. It can be a user account, system account, or service principal |
| IPAddress | string | IP address of the client used to sign in |
| IsInteractive | bool | Indicates if a sign-in is interactive or not |
| IsRisky | bool | Indicates if a sign-in is considered risky or not |
| Level | string | The severity level of the event |
| Location | string | The region of the resource emitting the event |
| LocationDetails | string | Details of the sign-in location |
| MfaDetail | string | Details of the Multi-factor authentication |
| NetworkLocationDetails | string | Provides the details associated with authentication processor |
| OperationName | string | For sign-ins, this value is always Sign-in activity |
| OperationVersion | string | The REST API version that's requested by the client |
| OriginalRequestId | string | The request id of the first request in the authentication sequence |
| ProcessingTimeInMs | string | Request processing time in milliseconds in AD STS |
| ResourceDisplayName | string | Name of the resource that the user signed into |
| ResourceGroup | string | Resource group for the logs |
| ResourceIdentity | string | ID of the resource that the user signed into |
| ResourceTenantId | string | The resource tenantId for B2B(business-to-business) scenarios |
| ResultDescription | string | Provides the error description for the sign-in operation |
| ResultSignature | string | Contains the error code, if any, for the sign-in operation |
| ResultType | string | The result of the sign-in operation can be Success or Failure |
| RiskDetail | string | Risky user state details |
| RiskEventTypes | string | The list of risk event types associated with the sign-in |
| RiskEventTypes_V2 | string | The list of risk event types associated with the sign-in. These are strings |
| RiskLevelAggregated | string | Aggregated risk level |
| RiskLevelDuringSignIn | string | Risk level during sign-in |
| RiskState | string | Risky user state |
| SignInEventTypes | string | The types that are associated with the sign-in. Examples include "interactive", "refreshToken", "managedIdentity", "continuousAccessEvaluation" and many more |
| SourceSystem | string | Details of source system of the object being provisioned |
| Status | string | Details of the sign-in status |
| TenantId | string | |
| TimeGenerated | datetime | The date and time of the event in UTC |
| TokenIssuerName | string | Name of the identity provider (e.g. sts.microsoft.com ) |
| TokenIssuerType | string | Type of identityProvider (Azure AD, AD Federation Services) |
| Type | string | The name of the table |
| UserAgent | string | User Agent for the sign-in |
| UserDisplayName | string | Display name of the user that initiated the sign-in |
| UserId | string | ID of the user that initiated the sign-in |
| UserPrincipalName | string | User principal name of the user that initiated the sign-in |