How to Analyze Azure AD Sign-In Logs
What’s in a sign-in log entry
Whether exported from the Graph API or viewed in the Entra portal, a sign-in event carries far more than “who logged in and when”: userPrincipalName, ipAddress, location (with coordinates), deviceDetail, conditionalAccessStatus, appliedConditionalAccessPolicies, status.errorCode, riskLevelAggregated, mfaDetail, isInteractive, and clientAppUsed. Most security-relevant analysis depends on cross-referencing several of these fields at once, not reading any single one.
What to look at first
status.errorCode. Distinguish a wrong password from a blocked sign-in from a successful one — the error code taxonomy here is large and specific, and the difference matters.locationand timing, across consecutive sign-ins for the same user. This is how you catch impossible travel — and it’s the single highest-confidence account-compromise signal available in this log source.conditionalAccessStatusvs. what you’d expect. If a policy should have blocked a sign-in and didn’t, that’s a policy gap worth fixing regardless of whether this particular sign-in was malicious.clientAppUsed. Legacy protocols (IMAP, POP, older Exchange clients) often can’t enforce modern Conditional Access or MFA — they’re a common, quiet bypass path.riskLevelAggregated. Microsoft’s own risk engine already flagged something — the question is whether anyone acted on it.
Common patterns and what they mean
| Pattern | Likely meaning |
|---|---|
| Same user, two impossible locations, short interval | Impossible travel — compromise or shared credentials |
| Many distinct usernames, few failed attempts each | Password spraying |
Legacy clientAppUsed, no MFA challenge | MFA/Conditional Access bypass path |
isInteractive: false right after an interactive sign-in elsewhere | Possible stolen session token (AiTM) |
High riskLevelAggregated with no subsequent action | Detection without response — a process gap, not just a security gap |
Where manual log review breaks down
Azure AD sign-in exports can run into hundreds of thousands of rows for a mid-sized tenant. Spotting the one impossible-travel pair, or the one legacy-auth sign-in among thousands of modern ones, by eye simply doesn’t scale — and that’s before correlating any of it against external threat intelligence on the source IP.
LogTriage extracts every field above automatically, computes impossible travel via haversine distance and elapsed time, classifies device/MFA/Conditional Access signals into named risk factors, and produces a single ranked report — with the underlying evidence trail intact for whoever needs to verify the finding.
See this detection run on a real report
Try the live demo with a pre-loaded malicious log set — no signup required — or upload your own log file and get a full AI-reviewed threat report in minutes.