Turn on Azure AD logs - mattnovitsch/M365 GitHub Wiki

Summary

Turn on Azure AD Logs for reporting data.

Steps

  1. Log into Azure Portal
  2. Search for "Azure Active Directory" in the top bar, the click on Azure Active Directory.
  3. On the left side panel, look for Monitoring and then click on Diagnostic Settings.
  4. Click +Add diagnostic settings.
  5. Select all the logs then select a location for the logs, in this example we are using Log Analytics workspace. Provide a name for the logs also, I used All Azure AD Logs.
  • Note: The Signin logs require AAD P1 or P2.
  1. Select Log Analytics under monitoring on the left. Under LogManagement double click SigninLogs. Make sure to change the Time range to Last 7 days. Click Export then Export to Power BI (M query).
  2. Ease SigninLogs and double click on AADNonInteractiveUserSigninLogs, then click Export then Export to Power BI (M query).
  3. The PowerBIQuery.txt files can be used at anytime in the creation of the dashboard going forward, it is used in the Microsoft Defender for Endpoint Dashboard.