Serving Vancouver, Washington and remote U.S. businesses

Microsoft 365 Security

How to Review Microsoft 365 Sign-In Logs and Security Alerts

A practical monitoring guide for investigating Microsoft 365 sign-ins, Conditional Access results, authentication details, application activity, and security alerts.

Microsoft 365 monitoring should help administrators distinguish normal business activity from failed authentication, policy problems, account compromise, risky applications, and unusual administrative changes.

Why Sign-In Logs Matter

Microsoft Entra records sign-in activity that administrators can use for troubleshooting, security investigation, access reviews, and Conditional Access validation. A sign-in record can show who attempted access, which application was used, whether authentication succeeded, which policies applied, and what device and location information was available.

Sign-in logs are not useful when no one reviews them or when the organization has no baseline for ordinary employee activity.

Understand the Main Log Categories

Microsoft Entra provides sign-in information for interactive user sign-ins, non-interactive user sign-ins, service principal sign-ins, and managed identity sign-ins depending on the tenant and activity.

Interactive sign-ins involve a user providing an authentication factor. Non-interactive sign-ins can occur when an application refreshes a token without asking the user again. Service principals and managed identities represent applications and workloads rather than ordinary employees.

A successful sign-in is not automatically safe

An attacker with a valid password, stolen token, or approved malicious application may produce a successful event. Review context, not only the result.

Start With the User and Time

Confirm the user's identity, job role, manager, work location, expected devices, and normal work schedule. Review a time range before and after the suspicious event.

Look for repeated failures followed by success, new locations, new applications, authentication-method changes, new devices, and unusual administrator activity.

Review the Application

The resource and application fields identify what the user attempted to access. Confirm that the application is approved and expected for the employee's role.

Investigate unfamiliar enterprise applications, device-code activity, legacy clients, command-line tools, administrative portals, and applications requesting unusual permissions.

Review the Sign-In Result

A failed sign-in includes an error code and failure reason that can help identify an incorrect password, blocked account, Conditional Access requirement, disabled application, device issue, or another cause.

Do not close an investigation merely because a failed attempt was blocked. Repeated failures from many accounts can indicate password spraying, while repeated prompts against one account can indicate targeted activity.

Review Authentication Details

Authentication details can show which method satisfied the sign-in, whether multifactor authentication was required, and how the requirement was met.

Review unexpected authentication methods, multifactor prompts the user did not initiate, registration changes, temporary access, and repeated failures. Verify the user's report directly through an approved support process.

Review Conditional Access

The Conditional Access tab can show which policies applied, which controls were required, whether the result was success or failure, and why a policy was not applied.

Use this information to investigate access problems and validate report-only policies before enforcement.

Do not bypass a policy before understanding the result

A permanent exclusion may solve the symptom while creating an unmonitored path around multifactor authentication or device controls.

Review Report-Only Results

Conditional Access report-only mode evaluates a policy without enforcing its access decision. Microsoft recommends reviewing these results before turning a policy on.

Look for users who would be blocked, applications that cannot satisfy the policy, unknown device status, service accounts, emergency accounts, and exclusions that are broader than intended.

Review Device Information

Device information can include operating system, browser, join state, management state, and compliance information when available.

Investigate unsupported operating systems, unknown devices, unmanaged personal devices, inconsistent device identifiers, and privileged access from unapproved endpoints.

Review Location and Internet Address

Sign-in logs may show the internet address and an estimated location. Geolocation can be inaccurate because of mobile carriers, virtual private networks, cloud services, and internet routing.

Use location as one signal. Compare it with known office addresses, remote-work locations, travel, device information, application behavior, and authentication details.

Review Client Application and Protocol

Identify browsers, mobile clients, modern authentication, legacy protocols, and device code flow. Legacy authentication can bypass modern multifactor controls and should be investigated.

Document approved exceptions for printers, scanners, or applications and replace outdated dependencies.

Review Risk Information Where Licensed

Microsoft Entra ID Protection can provide user-risk and sign-in-risk information with appropriate licensing. Risk indicates the likelihood that the identity or authentication request is compromised.

Review the detection, evidence, remediation state, user confirmation, and related sign-ins. Risk should be evaluated with the complete incident context.

Review Administrator Sign-Ins

Privileged sign-ins require stronger scrutiny. Review successful and failed access to Microsoft Entra, Microsoft 365, Exchange, SharePoint, Teams, Intune, Defender, and other administrative portals.

Investigate access from unfamiliar devices, unusual locations, legacy protocols, long-unused admin accounts, and normal user accounts with newly assigned roles.

Review Emergency Access Accounts

Every sign-in and audit event from an emergency access account should generate an investigation. The account should be used only for controlled testing or a documented emergency.

Confirm the authorized user, reason, actions, start and end time, and post-use review.

Use Microsoft Defender Alerts

The Microsoft Defender portal can display alerts and incidents from licensed Microsoft security products. Alerts may involve phishing, malware, unusual file deletion or sharing, administrator changes, device threats, identity activity, and other detections.

Available alerts depend on the organization's licenses and connected services. Document which products feed the portal.

Assign Alert Owners

Every alert source should have a primary owner, backup owner, severity expectations, response time, after-hours process, and escalation contact.

Email notifications should reach an actively monitored destination that remains available during an incident.

Triage Alerts Consistently

  1. Confirm the alert source and severity.
  2. Identify affected users, devices, mailboxes, applications, and data.
  3. Review related sign-ins and audit activity.
  4. Determine whether the activity is expected.
  5. Contain active risk.
  6. Preserve evidence.
  7. Correct the cause.
  8. Document the result and lessons learned.

Investigate Common Patterns

  • Many failed passwords across several users
  • Repeated multifactor prompts followed by success
  • Successful sign-in from a new device and new location
  • New inbox rules or external forwarding
  • Administrator role assignment followed by policy changes
  • Consent to an unfamiliar application
  • Large file deletion or external sharing
  • Emergency access account activity
  • Legacy authentication after it should be blocked

Correlate Events

A single sign-in may appear harmless. Review related mailbox rules, application consent, device activity, file sharing, administrator changes, and alerts.

Record a timeline. Correlation helps distinguish an employee traveling from an attacker who signed in, created forwarding, approved an application, and downloaded data.

Document Baselines

Record normal office addresses, remote-work patterns, approved countries, device platforms, administrative workstations, applications, vendors, and expected after-hours activity.

Update the baseline when the business changes. Do not treat an old office address or former vendor as permanently trusted.

Define Log Retention

Available retention depends on licensing and configuration. Determine how long sign-in, audit, Defender, and connected logs remain available and whether the business requires export to Azure Monitor, Microsoft Sentinel, or another approved system.

Retention should support incident investigation, legal requirements, contractual obligations, and recurring access reviews.

Create a Review Schedule

Review critical alerts continuously or daily, privileged sign-ins weekly, emergency accounts after every event, and broader trends at least monthly. Complete a formal quarterly review of administrators, exclusions, guests, applications, and monitoring coverage.

Adjust frequency to the organization's risk and available staff.

Monitoring Checklist

  • Identify the available sign-in log categories.
  • Review user, application, result, and authentication details.
  • Review Conditional Access and report-only results.
  • Evaluate device, location, client, and protocol information.
  • Review risk detections where licensed.
  • Monitor administrators and emergency accounts.
  • Connect Defender alerts to named owners.
  • Use a consistent triage and containment process.
  • Correlate sign-ins with mailbox, application, and file activity.
  • Maintain business and technical baselines.
  • Confirm log retention and export needs.
  • Document reviews and corrective actions.

Frequently Asked Questions

Does a successful sign-in mean the user is safe?

No. Review device, location, authentication, application, Conditional Access, and related activity.

Can sign-in location be trusted completely?

No. It is an estimate and can be affected by virtual private networks, mobile carriers, cloud infrastructure, and routing.

What should be reviewed first during a suspicious sign-in?

Confirm the user, time, application, authentication details, Conditional Access result, device, location, and activity immediately before and after the event.

When Professional Support Helps

Professional support can configure monitoring, review sign-in and alert coverage, investigate suspicious events, create response procedures, and establish a recurring review schedule.

Need help applying this?

Implement Microsoft 365 security with confidence.

J3 Systems Group LLC can implement Conditional Access, email protection, emergency access, monitoring, application consent controls, and supporting security procedures.

Book a Free Consultation