この記事では、Azure Active Directory (Azure AD) レポートに関してよく寄せられる質問に対する回答を示します。 詳細については、「Azure Active Directory レポート」をご覧ください。
I currently use the `https://graph.windows.net/<tenant-name>/reports/` endpoint APIs to pull Azure AD audit and integrated application usage reports into our reporting systems programmatically. What should I switch to?
Look up the API reference to see how you can use the APIs to access activity reports. This endpoint has two reports (Audit and Sign-ins) which provide all the data you got in the old API endpoint. This new endpoint also has a sign-ins report with the Azure AD Premium license that you can use to get app usage, device usage, and user sign-in information.
I currently use the `https://graph.windows.net/<tenant-name>/reports/` endpoint APIs to pull Azure AD security reports (specific types of detections, such as leaked credentials or sign-ins from anonymous IP addresses) into our reporting systems programmatically. What should I switch to?
You can use the Identity Protection risk detections API to access security detections through Microsoft Graph. This new format gives greater flexibility in how you can query data, with advanced filtering, field selection, and more, and standardizes risk detections into one type for easier integration into SIEMs and other data collection tools. Because the data is in a different format, you can't substitute a new query for your old queries. However, the new API uses Microsoft Graph, which is the Microsoft standard for such APIs as Microsoft 365 or Azure AD. So the work required can either extend your current Microsoft Graph investments or help you begin your transition to this new standard platform.
How do I get a premium license?
See Getting started with Azure Active Directory Premium to upgrade your Azure Active Directory edition.
How soon should I see activities data after getting a premium license?
If you already have activities data as a free license, then you can see it immediately. If you don’t have any data, then it will take up to 3 days for the data to show up in the reports.
Can I see last month's data after getting an Azure AD premium license?
If you have recently switched to a Premium version (including a trial version), you can see data up to 7 days initially. When data accumulates, you can see data for the past 30 days.
Do I need to be a global administrator to see the activity sign-ins to the Azure portal or to get data through the API?
No, you can also access the reporting data through the portal or through the API if you are a Security Reader or Security Administrator for the tenant. Of course, Global Administrators will also have access to this data.
What is the data retention for activity logs (Audit and Sign-ins) in the Azure portal?
For more information, see data retention policies for Azure AD reports.
How long does it take until I can see the activity data after I have completed my task?
Audit logs have a latency ranging from 15 minutes to an hour. Sign-in activity logs can take from 15 minutes to up to 2 hours for some records.
Can I get Microsoft 365 activity log information through the Azure portal?
Even though Microsoft 365 activity and Azure AD activity logs share a lot of the directory resources, if you want a full view of the Microsoft 365 activity logs, you should go to the Microsoft 365 admin center to get Office 365 Activity log information.
Which APIs do I use to get information about Microsoft 365 Activity logs?
Use the Microsoft 365 Management APIs to access the Microsoft 365 Activity logs through an API.
How many records I can download from Azure portal?
You can download up to 5000 records from the Azure portal. The records are sorted by most recent and by default, you get the most recent 5000 records.
I see .XXX in part of the IP address from a user in my sign in logs. Why is that happening?
Azure AD may redact part of an IP address in the sign in logs to protect user privacy when a user may not belong to the tenant viewing the logs. This happens in two cases: first, during cross tenant sign ins, such as when a CSP technician signs into a tenant that CSP manages. Second, when our service was not able to determine the user's identity with sufficient confidence to be sure the user belongs to the tenant viewing the logs.
What's new with this feature?
Customers can now troubleshoot Conditional Access policies through all sign-ins report. Customers can review the Conditional Access status and dive into the details of the policies that applied to the sign-in and the result for each policy.
How do I get started?
To get started:
- Navigate to the sign-ins report in the Azure portal.
- Click on the sign-in that you want to troubleshoot.
- Navigate to the Conditional Access tab. Here, you can view all the policies that impacted the sign-in and the result for each policy.
What are all possible values for the Conditional Access status?
Conditional Access status can have the following values:
- Not Applied: This means that there was no Conditional Access policy with the user and app in scope.
- Success: This means that there was a Conditional Access policy with the user and app in scope and Conditional Access policies were successfully satisfied.
- Failure: The sign-in satisfied the user and application condition of at least one Conditional Access policy and grant controls are either not satisfied or set to block access.
What are all possible values for the Conditional Access policy result?
A Conditional Access policy can have the following results:
- Success: The policy was successfully satisfied.
- Failure: The policy was not satisfied.
- Not applied: This might be because the policy conditions did not meet.
- Not enabled: This is due to the policy in disabled state.
The policy name in the all sign-in report does not match the policy name in CA. Why?
The policy name in the all sign-in report is based on the Conditional Access policy name at the time of the sign-in. This can be inconsistent with the policy name in CA if you updated the policy name later, that is, after the sign-in.
My sign-in was blocked due to a Conditional Access policy, but the sign-in activity report shows that the sign-in succeeded. Why?
Currently the sign-in report may not show accurate results for Exchange ActiveSync scenarios when Conditional Access is applied. There can be cases when the sign-in result in the report shows a successful sign-in, but the sign-in actually failed due to a Conditional Access policy.