您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

在 Azure 门户中查找活动报告Find activity reports in the Azure portal

在本文中,你将了解如何在 Azure 门户中查找 Azure Active Directory (Azure AD) 用户活动报告。In this article, you learn how to find Azure Active Directory (Azure AD) user activity reports in the Azure portal.

审核日志报表Audit logs report

审核日志报告将关于应用程序活动的多个报告组合到单个视图中以提供基于上下文的报告。The audit logs report combines several reports around application activities into a single view for context-based reporting. 若要访问审核日志报告,请执行以下操作:To access the audit logs report:

  1. 导航到 Azure 门户Navigate to the Azure portal.

  2. 从右上角选择你的目录,然后从左侧导航窗格中选择“Azure Active Directory”边栏选项卡。Select your directory from the top-right corner, then select the Azure Active Directory blade from the left navigation pane.

  3. 从“Azure Active Directory”边栏选项卡的“活动”部分中选择“审核日志”。Select Audit logs from the Activity section of the Azure Active Directory blade.

    审核日志Audit logs

审核日志报告合并了以下报告:The audit logs report consolidates the following reports:

  • 审核报告Audit report
  • 密码重置活动Password reset activity
  • 密码重置注册活动Password reset registration activity
  • 自助服务组活动Self-service groups activity
  • Office365 组名称更改Office365 Group Name Changes
  • 帐户设置活动Account provisioning activity
  • 密码滚动更新状态Password rollover status
  • 帐户设置错误Account provisioning errors

根据审核日志进行筛选Filtering on audit logs

您可以使用审核报告中的高级筛选来访问特定类别的审核数据,方法是在 类别 筛选器中指定该类别。You can use advanced filtering in the audit report to access a specific category of audit data, by specifying it in the Category filter. 例如,若要查看与用户相关的所有活动,请选择 " UserManagement " 类别。For example, to view all activities related to users, select the UserManagement category.

类别包括:Categories include:

  • 全部All
  • AdministrativeUnitAdministrativeUnit
  • ApplicationManagementApplicationManagement
  • 身份验证Authentication
  • 授权Authorization
  • 联系人Contact
  • 设备Device
  • DeviceConfigurationDeviceConfiguration
  • DirectoryManagementDirectoryManagement
  • EntitlementManagementEntitlementManagement
  • GroupManagementGroupManagement
  • 其他Other
  • 策略Policy
  • ResourceManagementResourceManagement
  • RoleManagementRoleManagement
  • UserManagementUserManagement

你还可以使用 服务 下拉筛选器在特定服务上进行筛选。You can also filter on a specific service using the Service dropdown filter. 例如,若要获取与自助服务密码管理相关的所有审核事件,请选择 " 自助服务密码管理 " 筛选器。For example, to get all audit events related to self-service password management, select the Self-service Password Management filter.

服务包括:Services include:

  • 全部All
  • 访问评审Access Reviews
  • 帐户预配Account Provisioning
  • 应用程序 SSOApplication SSO
  • 身份验证方法Authentication Methods
  • B2CB2C
  • 条件性访问Conditional Access
  • 核心目录Core Directory
  • 权利管理Entitlement Management
  • 标识保护Identity Protection
  • 受邀用户Invited Users
  • PIMPIM
  • 自助服务组管理Self-service Group Management
  • 自助服务密码管理Self-service Password Management
  • 使用条款Terms of Use

登录报告Sign-ins report

“登录”视图包括所有用户登录,以及“应用程序使用情况”报告。The Sign-ins view includes all user sign-ins, as well as the Application Usage report. 还可以在“企业应用程序”概述的“管理”部分中查看应用程序使用情况信息。You also can view application usage information in the Manage section of the Enterprise applications overview.

若要访问登录报告,请执行以下操作:To access the sign-ins report:

  1. 导航到 Azure 门户Navigate to the Azure portal.

  2. 从右上角选择你的目录,然后从左侧导航窗格中选择“Azure Active Directory”边栏选项卡。Select your directory from the top-right corner, then select the Azure Active Directory blade from the left navigation pane.

  3. 从“Azure Active Directory”边栏选项卡的“活动”部分中选择“登录”。Select Signins from the Activity section of the Azure Active Directory blade.

    登录视图Sign-ins view

根据应用程序名称进行筛选Filtering on application name

可以使用登录报告查看有关应用程序使用情况的详细信息,可以根据用户名或应用程序名称进行筛选。You can use the sign-ins report to view details about application usage, by filtering on user name or application name.

!["筛选 Sign-In 事件" 页](./media/howto-find-activity-reports/07.png ""筛选 Sign-In 事件" 页")Filter Sign-In Events page

安全报表Security reports

异常活动报告Anomalous activity reports

异常活动报告提供 Azure AD 可以检测和报告的与安全相关的风险检测的相关信息。Anomalous activity reports provide information on security-related risk detections that Azure AD can detect and report on.

下表列出了 Azure AD 异常活动安全报告和 Azure 门户中的相应风险检测类型。The following table lists the Azure AD anomalous activity security reports, and corresponding risk detection types in the Azure portal. 有关详细信息,请参阅 Azure Active Directory 风险检测For more information, see Azure Active Directory risk detections.

Azure AD 异常活动报告Azure AD anomalous activity report 标识保护风险检测类型Identity protection risk detection type
具有已泄漏凭据的用户Users with leaked credentials 凭据泄露Leaked credentials
异常登录活动Irregular sign-in activity 不可能前往异常位置Impossible travel to atypical locations
从可能受感染的设备登录Sign-ins from possibly infected devices 从受感染的设备登录Sign-ins from infected devices
从未知源登录Sign-ins from unknown sources 从匿名 IP 地址登录Sign-ins from anonymous IP addresses
从具有可疑活动的 IP 地址登录Sign-ins from IP addresses with suspicious activity 从具有可疑活动的 IP 地址登录Sign-ins from IP addresses with suspicious activity
- 从不熟悉的位置登录Sign-ins from unfamiliar locations

以下 Azure AD 异常活动安全报告未作为 Azure 门户中的风险检测包括:The following Azure AD anomalous activity security reports are not included as risk detections in the Azure portal:

  • 多次失败后登录Sign-ins after multiple failures
  • 从多个地理区域登录Sign-ins from multiple geographies

检测到的风险检测Detected risk detections

可以在 Azure 门户中的 " Azure Active Directory " 边栏选项卡上的 "安全" 部分中访问有关检测到的风险检测的报告。You can access reports about detected risk detections in the Security section of the Azure Active Directory blade in the Azure portal. 在以下报表中跟踪检测到的风险检测:Detected risk detections are tracked in the following reports:

排查活动报告问题Troubleshoot issues with activity reports

下载的活动日志中缺少数据Missing data in the downloaded activity logs

症状Symptoms

我下载了活动日志(审核日志或登录日志),但发现所选时间范围内的记录不全。I downloaded the activity logs (audit or sign-ins) and I don’t see all the records for the time I chose. 为什么?Why?

屏幕截图在活动报表中显示 "下载" 按钮。

原因Cause

下载 Azure 门户中的活动日志时,会将扩展限制为250000个记录,并按最新的顺序进行排序。When you download activity logs in the Azure portal, we limit the scale to 250000 records, sorted by most recent first.

解决方法Resolution

可以随时通过 Azure AD 报告 API 获取多达一百万条记录。You can leverage Azure AD Reporting APIs to fetch up to a million records at any given point.

Azure 门户中缺少有关最近操作的审核数据Missing audit data for recent actions in the Azure portal

症状Symptoms

我在 Azure 门户中执行了一些操作,本应在Activity logs > Audit Logs边栏选项卡中看到这些操作的审核日志,但却找不到。I performed some actions in the Azure portal and expected to see the audit logs for those actions in the Activity logs > Audit Logs blade, but I can’t find them.

屏幕截图显示活动报告。

原因Cause

操作不会立即显示在活动日志中。Actions don’t appear immediately in the activity logs. 下表枚举了活动日志的延迟数字。The table below enumerates our latency numbers for activity logs.

报表Report 延迟 (P95)Latency (P95) 延迟 (P99)Latency (P99)
目录审核Directory audit 2 分钟2 mins 5 分钟5 mins
登录活动Sign-in activity 2 分钟2 mins 5 分钟5 mins

解决方法Resolution

等待 15 分钟到 2 小时,再看操作是否显示在日志中。Wait for 15 minutes to two hours and see if the actions appear in the log. 如果 2 小时后仍未看到日志,请提交支持票证,我们会进行调查。If you don’t see the logs even after two hours, please file a support ticket and we will look into it.

Azure AD 登录活动日志中缺少有关最近用户登录的日志Missing logs for recent user sign-ins in the Azure AD sign-ins activity log

症状Symptoms

我最近登录了 Azure 门户,本应在Activity logs > Sign-ins边栏选项卡中看到这些操作的登录日志,但却找不到。I recently signed into the Azure portal and expected to see the sign-in logs for those actions in the Activity logs > Sign-ins blade, but I can’t find them.

屏幕截图显示 Azure Active Directory 的登录。

原因Cause

操作不会立即显示在活动日志中。Actions don’t appear immediately in the activity logs. 下表枚举了活动日志的延迟数字。The table below enumerates our latency numbers for activity logs.

报表Report 延迟 (P95)Latency (P95) 延迟 (P99)Latency (P99)
目录审核Directory audit 2 分钟2 mins 5 分钟5 mins
登录活动Sign-in activity 2 分钟2 mins 5 分钟5 mins

解决方法Resolution

等待 15 分钟到 2 小时,再看操作是否显示在日志中。Wait for 15 minutes to two hours and see if the actions appear in the log. 如果 2 小时后仍未看到日志,请提交支持票证,我们会进行调查。If you don’t see the logs even after two hours, please file a support ticket and we will look into it.

无法在 Azure 门户中查看 30 天以上的报表数据I can't view more than 30 days of report data in the Azure portal

症状Symptoms

无法在 Azure 门户中查看 30 天以上的登录和审核数据。I can't view more than 30 days of sign-in and audit data from the Azure portal. 为什么?Why?

屏幕截图显示了“日期”菜单。

原因Cause

根据你持有的许可证,Azure Active Directory 操作会按以下持续时间存储活动报告:Depending on your license, Azure Active Directory Actions stores activity reports for the following durations:

报表Report Azure AD FreeAzure AD Free Azure AD Premium P1Azure AD Premium P1 Azure AD Premium P2Azure AD Premium P2
目录审核Directory Audit 7 天7 days 30 天30 days 30 天30 days
登录活动Sign-in Activity 不可用。Not available. 可以在单个用户配置文件边栏选项卡中访问自己在 7 天内的登录活动You can access your own sign-ins for 7 days from the individual user profile blade 30 天30 days 30 天30 days

有关详细信息,请参阅 Azure Active Directory 报告保留策略For more information, see Azure Active Directory report retention policies.

解决方法Resolution

可以通过两个选项将数据保留 30 天以上。You have two options to retain the data for longer than 30 days. 可以使用 Azure AD 报告 API 以编程方式检索数据并将其存储在数据库中。You can use the Azure AD Reporting APIs to retrieve the data programmatically and store it in a database. 也可将审核日志集成到第三方 SIEM 系统(例如 Splunk 或 SumoLogic)中。Alternatively, you can integrate audit logs into a third party SIEM system like Splunk or SumoLogic.

后续步骤Next steps