Analyze Azure Active Directory Sign-in Location
Hi All,
Azure Active Directory Sign-in Logs is really helpful, when analyzing Sign-in Problems.
But it also can be very helpful, when analyzing the overall Sign-ins or looking out for strange behavior.
One of the Tips would be th Filter for Location and use the CountryCode and Status of Sucess
I have set up Azure Active Directory Diagnostics to save the Sign-In Logs to a LogAnalytics Workspace.
Here you can Query the Logs with KQL. Let's search for Logins that come from Outside Switzerland.
SigninLogs
| where TimeGenerated > ago(30d)
| where LocationDetails.countryOrRegion <> "CH"
//| where Status.errorCode <> "0" //Not Sucessful Logins
| project UserPrincipalName, Status.errorCode, Status.failureReason,AppDisplayName, ResourceDisplayName, LocationDetails.countryOrRegion
| where TimeGenerated > ago(30d)
| where LocationDetails.countryOrRegion <> "CH"
//| where Status.errorCode <> "0" //Not Sucessful Logins
| project UserPrincipalName, Status.errorCode, Status.failureReason,AppDisplayName, ResourceDisplayName, LocationDetails.countryOrRegion
It's worht mentioning that there are also some predefined Workbooks available
"Sign-ins" will give you an overview and also a Heatmap
"Sign-In Analysis (Preview AAD & AD FS)" will extend that to the Federation Services.
If you want to go further, you can create Workbooks created by others. Here's one Example
How to use Azure Sentinel to follow a Users travel and map their location
Regards
Andres Bohren
