Azure Active Directory 入口網站中的登入活動報告Sign-in activity reports in the Azure Active Directory portal

Azure Active Directory (Azure AD) 中的報告架構包含下列元件:The reporting architecture in Azure Active Directory (Azure AD) consists of the following components:

  • 活動Activity
    • 登入 – 受控應用程式和使用者登入活動的使用情況相關資訊。Sign-ins – Information about the usage of managed applications and user sign-in activities.
    • 稽核記錄 - 稽核記錄可提供使用者和群組管理、受控應用程式和目錄活動的相關系統活動資訊。Audit logs - Audit logs provide system activity information about users and group management, managed applications and directory activities.
  • 安全性Security
    • 有風險的登入 - 有風險的登入表示非使用者帳戶合法擁有者的某人嘗試登入。Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
    • 標幟為有風險的使用者 - 有風險的使用者表示可能被盜用的使用者帳戶。Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

本主題提供登入報告的概觀。This topic gives you an overview of the sign-ins report.

必要條件Prerequisites

誰可以存取資料?Who can access the data?

  • 具有安全性系統管理員、安全性讀取者和報告讀取者角色的使用者Users in the Security Administrator, Security Reader and Report Reader roles
  • 全域系統管理員Global Administrators
  • 此外,任何使用者 (非系統管理員) 都可以存取自己的登入In addition, any user (non-admins) can access their own sign-ins

您需要哪項 Azure AD 授權才能存取登入活動?What Azure AD license do you need to access sign-in activity?

  • 租用戶必須要有相關聯的 Azure AD Premium 授權,才能查看活動報告中的所有登入。Your tenant must have an Azure AD Premium license associated with it to see the all up sign-in activity report. 請參閱開始使用 Azure Active Directory Premium 來升級 Azure Active Directory 版本。See Getting started with Azure Active Directory Premium to upgrade your Azure Active Directory edition. 請注意,如果您在升級前沒有任何活動資料,則在升級至進階授權之後,報告需要幾天的時間才會顯示出資料。Note that if you did not have any activities data prior to the upgrade, it will take a couple of days for the data to show up in the reports after you upgrade to a premium license.

登入報告Sign-ins report

使用者登入報告可回答下列問題:The user sign-ins report provides answers to the following questions:

  • 使用者的登入模式為何?What is the sign-in pattern of a user?
  • 一週內有多少使用者登入?How many users have signed in over a week?
  • 這些登入的狀態為何?What’s the status of these sign-ins?

您可以藉由在 Azure入口網站的 [Azure Active Directory] 刀鋒視窗中,選取 [活動] 區段的 [登入] ,來存取登入報告。You can access the sign-ins report by selecting Sign-ins in the Activity section of the Azure Active Directory blade in the Azure portal. 請注意,最多可能需要兩個小時,入口網站中才會出現一些登入記錄。Note that it may take upto two hours for some sign-in records to show up in the portal.

登入活動Sign-in activity

重要

登入報告只會顯示使用者透過使用者名稱和密碼以手動方式登入的互動式登入。The sign-ins report only displays the interactive sign-ins, that is, sign-ins where a user manually signs in using their username and password. 非互動式登入 (例如服務對服務驗證) 不會顯示在登入報告中。Non-interactive sign-ins, such as service-to-service authentication, are not displayed in the sign-ins report.

登入記錄的預設清單檢視會顯示︰A sign-ins log has a default list view that shows:

  • 登入日期The sign-in date
  • 相關的使用者The related user
  • 使用者已登入的應用程式The application the user has signed-in to
  • 登入狀態The sign-in status
  • 風險偵測的狀態The status of the risk detection
  • 多重要素驗證 (MFA) 需求的狀態The status of the multi-factor authentication (MFA) requirement

登入活動Sign-in activity

您可以按一下工具列中的 [資料行] 來自訂清單檢視。You can customize the list view by clicking Columns in the toolbar.

登入活動Sign-in activity

這可讓您顯示其他欄位,或移除已顯示的欄位。This enables you to display additional fields or remove fields that are already displayed.

登入活動Sign-in activity

選取清單檢視中的項目,即可取得更詳細的資訊。Select an item in the list view to get more detailed information.

登入活動Sign-in activity

注意

客戶現在可以針對條件式存取原則,透過所有的登入報告進行疑難排解。Customers can now troubleshoot Conditional Access policies through all sign-in reports. 上即可條件式存取] 索引標籤上的登入記錄中,客戶可以檢閱 [條件式存取狀態] 和 [探索到的登入並將結果的每個原則套用原則的詳細資料。By clicking on the Conditional Access tab for a sign-in record, customers can review the Conditional Access status and dive into the details of the policies that applied to the sign-in and the result for each policy. 如需詳細資訊,請參閱所有登入中的 CA 資訊相關常見問題集For more information, see the Frequently asked questions about CA information in all sign-ins.

登入活動Sign-in activity

篩選登入活動Filter sign-in activities

若要將報告的資料縮小至您適用的層級,您可以使用下列預設欄位篩選登入資料︰To narrow down the reported data to a level that works for you, you can filter the sign-ins data using the following default fields:

  • 使用者User
  • ApplicationApplication
  • 登入狀態Sign-in status
  • 條件式存取Conditional Access
  • DateDate

登入活動Sign-in activity

[使用者] 篩選條件可讓您指定您關心的使用者名稱或使用者主體名稱 (UPN)。The User filter enables you to specify the name or the user principal name (UPN) of the user you care about.

[應用程式] 篩選條件可讓您指定您關心的應用程式名稱。The Application filter enables you to specify the name of the application you care about.

[登入狀態] 篩選條件可讓您選取︰The Sign-in status filter enables you to select:

  • 全部All
  • 成功Success
  • 失敗Failure

條件式存取篩選條件可讓您選取登入的 CA 原則狀態:The Conditional Access filter enables you to select the CA policy status for the sign-in:

  • 全部All
  • 未套用Not Applied
  • 成功Success
  • 失敗Failure

[日期] 篩選條件可讓您定義傳回資料的時間範圍。The Date filter enables to you to define a timeframe for the returned data.
可能的值包括:Possible values are:

  • 1 個月1 month
  • 7 天7 days
  • 24 小時24 hours
  • 自訂時間間隔Custom time interval

當您選取自訂時間範圍時,可以設定開始時間和結束時間。When you select a custom timeframe, you can configure a start time and an end time.

如果您將其他欄位新增至您的登入檢視,這些欄位就會自動新增至篩選條件清單。If you add additional fields to your sign-ins view, these fields are automatically added to the list of filters. 例如,藉由將 [用戶端應用程式] 欄位新增至您的清單,同時也會取得其他篩選選項,可讓您設定下列篩選條件:For example, by adding Client App field to your list, you also get another filter option that enables you to set the following filters:
登入活動Sign-in activity

  • [瀏覽器]Browser
    此篩選會顯示所有事件,請登入嘗試使用瀏覽器流程所執行。This filter shows all events where sign-in attempts were performed using browser flows.

  • Exchange ActiveSync (支援)Exchange ActiveSync (supported)
    此篩選會顯示所有登入嘗試的 Exchange ActiveSync (EAS) 通訊協定已嘗試從支援的平台,例如 iOS、 Android 和 Windows Phone。This filter shows all sign-in attempts where the Exchange ActiveSync (EAS) protocol has been attempted from supported platforms like iOS, Android and Windows Phone.

  • Exchange ActiveSync (不支援)Exchange ActiveSync (unSupported)
    此篩選會顯示所有登入嘗試的 EAS 通訊協定已嘗試從像是 Linux 散發版本不支援的平台。This filter shows all sign-in attempts where the EAS protocol has been attempted from unsupported platforms like, Linux distros.

  • 行動應用程式和桌面用戶端此篩選會顯示所有登入嘗試未使用的瀏覽器流程。Mobile Apps and Desktop clients This filter shows all sign-in attempts that were not using browser flows. 這可以是從任何平台上使用任何通訊協定或桌面用戶端應用程式,例如在 Windows 或 MacOS 上的 Office 行動裝置的應用程式。This can be mobile apps from any platform using any protocol or from Desktop client apps like Office on Windows or MacOS.

  • 其他用戶端Other clients

    • IMAPIMAP
      舊版的郵件用戶端使用 IMAP 擷取電子郵件。A legacy mail client using IMAP to retrieve email.
    • MAPIMAPI
      Office 2013,其中 ADAL 已啟用,而且它使用 MAPI。Office 2013, where ADAL is enabled and it is using MAPI.
    • 舊版 Office 用戶端Older Office clients
      在未啟用 ADAL,其預設組態中的 office 2013 使用 MAPI 或 Office 2016 ADAL 其中已停用。Office 2013 in its default configuration where ADAL is not enabled and it is using MAPI, or Office 2016 where ADAL has been disabled.
    • POPPOP
      舊版的郵件用戶端使用 POP3 擷取電子郵件。A legacy mail client using POP3 to retrieve email.
    • SMTPSMTP
      舊版的郵件用戶端使用 SMTP 來傳送電子郵件。A legacy mail client using SMTP to send email.

下載登入活動Download sign-in activities

如果您想要在 Azure 入口網站以外使用登入活動資料,您可以下載登入資料You can download the sign-ins data if you want to work with it outside the Azure portal. 按一下 下載可讓您建立 CSV 或 JSON 檔案的最新的 250,000 記錄選項。Clicking Download gives you the option to create a CSV or JSON file of the most recent 250,000 records.

下載Download

重要

您可以下載的記錄數目會受限於 Azure Active Directory 報告保留原則The number of records you can download is constrained by the Azure Active Directory report retention policies.

登入資料捷徑Sign-ins data shortcuts

除了 Azure AD 之外,Azure 入口網站還可提供您登入資料的額外進入點︰In addition to Azure AD, the Azure portal provides you with additional entry points to sign-ins data:

  • 身分識別安全性保護概觀The Identity security protection overview
  • 使用者Users
  • 群組Groups
  • 企業應用程式Enterprise applications

身分識別安全性保護中的使用者登入資料Users sign-ins data in Identity security protection

使用者登入圖中的身分識別安全性保護概觀頁面會顯示在指定的時段內的所有使用者的登入的每週彙總。The user sign-in graph in the Identity security protection overview page shows weekly aggregations of sign-ins for all users in a given time period. 時間週期的預設值是 30 天。The default for the time period is 30 days.

登入活動Sign-in activity

當您按一下登入圖中的某一天時,會取得當日登入活動的概觀。When you click on a day in the sign-in graph, you get an overview of the sign-in activities for this day.

登入活動清單中的每一列會顯示:Each row in the sign-in activities list shows:

  • 誰已登入?Who has signed in?
  • 哪個應用程式是登入的目標?What application was the target of the sign-in?
  • 登入狀態為何?What is the status of the sign-in?
  • 登入的 MFA 狀態為何?What is the MFA status of the sign-in?

按一下項目,即可取得有關登入作業的更多詳細資料:By clicking an item, you get more details about the sign-in operation:

  • 使用者識別碼User ID
  • 使用者User
  • 使用者名稱Username
  • 應用程式識別碼Application ID
  • ApplicationApplication
  • 用戶端Client
  • 位置Location
  • IP 位址IP address
  • DateDate
  • 需要 MFAMFA Required
  • 登入狀態Sign-in status

注意

IP 位址的發出方式如下:IP 位址與該位址實際所在的電腦之間沒有任何明確的連線。IP addresses are issued in such a way that there is no definitive connection between an IP address and where the computer with that address is physically located. 對應 IP 位址之所以複雜,是因為行動提供者和 VPN 會從中央集區發出 IP 位址,而中央集區通常距離用戶端裝置的實際使用位置非常遠。Mapping IP addresses is complicated by the fact that mobile providers and VPNs issue IP addresses from central pools that are often very far from where the client device is actually used. 目前在 Azure AD 報告中,根據追蹤、登錄資料、反向查詢和其他資訊,將 IP 位址轉換為實體位置的效果最佳。Currently in Azure AD reports, converting IP address to a physical location is a best effort based on traces, registry data, reverse look ups and other information.

在 [使用者] 頁面上,按一下 [活動] 區段中的 [登入] ,即可取得所有使用者登入的完整概觀。On the Users page, you get a complete overview of all user sign-ins by clicking Sign-ins in the Activity section.

登入活動Sign-in activity

受控應用程式的使用情況Usage of managed applications

利用登入資料以應用程式為主的檢視,您可以回答下列問題︰With an application-centric view of your sign-in data, you can answer questions such as:

  • 誰在使用我的應用程式?Who is using my applications?
  • 您的組織中排名前 3 個應用程式為何?What are the top 3 applications in your organization?
  • 我最近已推出一個應用程式。I have recently rolled out an application. 它的情況為何?How is it doing?

此資料的進入點是在 [企業應用程式] 之下 [概觀] 區段中的最近 30 天報告內您的組織中排名前 3 個應用程式。Your entry point to this data is the top 3 applications in your organization within the last 30 days report in the Overview section under Enterprise applications.

登入活動Sign-in activity

應用程式使用量圖形每週彙總為在指定的時段內前 3 個應用程式的登入。The app usage graph weekly aggregations of sign-ins for your top 3 applications in a given time period. 時間週期的預設值是 30 天。The default for the time period is 30 days.

登入活動Sign-in activity

如果您想要,您可以將焦點設在特定的應用程式。If you want to, you can set the focus on a specific application.

報告Reporting

當您按一下應用程式使用圖中的某一天時,您會取得登入活動的詳細清單。When you click on a day in the app usage graph, you get a detailed list of the sign-in activities.

[登入] 選項會提供您的應用程式的所有登入事件的完整概觀。The Sign-ins option gives you a complete overview of all sign-in events to your applications.

登入活動Sign-in activity

Office 365 活動記錄Office 365 activity logs

您可以檢視從 Office 365 活動記錄Microsoft 365 系統管理中心You can view Office 365 activity logs from the Microsoft 365 admin center. 即使 Office 365 活動和 Azure AD 活動記錄共用許多目錄資源,只在 Microsoft 365 系統管理中心會提供 Office 365 活動記錄檔的完整檢視。Even though Office 365 activity and Azure AD activity logs share a lot of the directory resources, only the Microsoft 365 admin center provides a full view of the Office 365 activity logs.

您也可以透過使用 Office 365 管理 API,以程式設計的方式存取 Office 365 活動記錄。You can also access the Office 365 activity logs programmatically using the Office 365 Management APIs.

後續步驟Next steps