Looking for security documentation and consultancy? Visit ridgelinecyber.com
Sign In

AD1.8 Monitoring Sign-In Activity

5-6 hours · Module 1 · Free
Operational Objective
The Entra ID sign-in log is the single most important investigation tool for identity security. Every authentication to your M365 tenant is recorded here — who signed in, from where, on which device, using which application, whether MFA was completed, and whether conditional access allowed or blocked the session. When someone reports a phishing email and you need to check if their credentials were used, you look here. When you see an impossible travel alert, you investigate here. When an account is compromised and you need to reconstruct what the attacker did, you start here. This subsection teaches you to read the sign-in log efficiently — the five fields you check first, the patterns that indicate compromise, and the filters that turn a million rows of data into a focused investigation.
Deliverable: The ability to investigate any identity-related security event using the sign-in log — from the initial filter to the conclusion — in under 10 minutes.
Estimated completion: 30 minutes
THE FIVE FIELDS YOU CHECK FIRST IN EVERY SIGN-IN INVESTIGATION1. IP ADDRESSIs this your office IP?Known VPN exit?Cloud hosting provider?Unknown IP = investigateClick IP → GeoIP lookup2. LOCATIONExpected country?User travelling?VPN exit location?New country = verifyCompare with HR records3. DEVICERegistered in Entra?Intune compliant?Known device name?Unknown device = suspiciousAiTM uses unknown devices4. MFA STATUSMFA completed?Satisfied by claim?Method used?"By claim" on new IP = AiTMAuth details tab5. CA RESULTWhich policies applied?Were they satisfied?Was anything bypassed?No CA = policy gapConditional access tab

Figure AD1.8 — The five fields you check first in every sign-in investigation: IP address (is it yours?), location (is it expected?), device (is it known?), MFA status (was it completed or claimed?), and conditional access result (which policies applied?). These five fields tell you within 30 seconds whether a sign-in is legitimate or warrants deeper investigation.

Navigate to entra.microsoft.com → Monitoring → Sign-in logs. The default view shows the interactive sign-in log — every user-interactive authentication. The columns default to: Date, User, Application, Status, IP address, and Location. Customise this view by clicking “Columns” and adding “Device,” “Client app,” and “Conditional access” — these three additional columns give you the context you need without clicking into individual entries.

The log retains 30 days of data (E3) or 90 days (with an Azure AD P2 or E5 license). For investigations that need older data, you’ll need to have been exporting logs to Azure Monitor, a storage account, or a SIEM. For this course, 30 days is sufficient — most identity compromises are detected within days.

Set the time range to “Last 7 days” for your Monday morning review. For incident investigation, narrow to the specific date and time window of the suspected compromise.

The investigation workflow

When you investigate a specific account — because of a reported phishing email, a Defender alert, or a risky sign-in detection — follow this workflow.

Step 1: Filter to the user. Click “Add filter” → User → enter the username or UPN. This reduces the log to only that user’s sign-ins.

Step 2: Scan for unusual IPs. Look at the IP address column. Your office IP addresses should be familiar — they’re the same IPs you see every day. Any IP that isn’t your office, your VPN, or a known Microsoft service IP is worth checking. Click on an unfamiliar IP to see the geolocation.

Step 3: Check for sign-ins from unexpected locations. If the user works in London and you see a sign-in from Lagos, that’s either the user travelling (verify) or an attacker (investigate). Cross-reference with the time — a sign-in from Lagos at 03:00 UK time when the user was at home is suspicious. A sign-in from Lagos when the user is on a business trip is normal.

Step 4: Check the MFA details. Click on a suspicious sign-in and go to the “Authentication details” tab. Look for “MFA requirement: Satisfied by claim” versus “Satisfied by MFA.” “Satisfied by claim” on a first sign-in from a new IP means the session token already had MFA baked in — the AiTM signature. “Satisfied by MFA” means the user completed MFA interactively during this sign-in — which is expected.

Step 5: Check the conditional access tab. Click the “Conditional access” tab. It shows every CA policy that was evaluated for this sign-in and the result: Success (policy satisfied, access granted), Failure (policy not satisfied, access blocked), or Not applied (policy conditions didn’t match). If you see “Not applied” for your MFA policy, there’s a gap — the sign-in wasn’t covered by your conditional access. Investigate why.

Step 6: Check for post-sign-in activity. After confirming a suspicious sign-in, check the audit log (entra.microsoft.com → Monitoring → Audit logs) filtered to the same user and time window. Look for: new MFA method registered, inbox rule created, application consent granted, mailbox delegate added. Any of these within minutes of a suspicious sign-in confirms compromise.

Patterns that indicate compromise

After reviewing hundreds of sign-in investigations, certain patterns reliably indicate a compromised account:

Pattern 1 — The geographically impossible session: A successful sign-in from the user’s normal IP at 09:00, then another successful sign-in from a different country at 09:15. If MFA shows “Satisfied by claim” on the second sign-in, this is almost certainly AiTM token replay.

Pattern 2 — The configuration change cascade: A sign-in from an unusual IP followed within minutes by: a new MFA method registered (attacker adding their phone), an inbox rule created (forwarding financial emails), or a mailbox delegate added (attacker granting themselves persistent access). This is the classic BEC setup pattern.

Pattern 3 — The after-hours service account: A service account (svc-, app-, or named “service”) authenticating interactively (not via client credential flow) at 02:00 from an IP that isn’t your application server. Service accounts don’t take breaks. Interactive sign-ins from service accounts at any time are suspicious, and after-hours authentication from an unknown IP is a strong compromise indicator.

Pattern 4 — The failed-then-succeeded cluster: Multiple failed sign-ins (4625 or “Failure” in the sign-in log) from one IP targeting one account, followed by a successful sign-in from the same IP. This is brute force that succeeded. If MFA blocked the successful attempt, you’re safe — but the user’s password is confirmed compromised and needs resetting.

Compliance Myth: "We don't need to check the sign-in log because we have MFA enabled"
MFA blocks the majority of credential attacks, but it doesn't make the sign-in log irrelevant. MFA doesn't prevent AiTM token replay, doesn't detect leaked credentials being sold on dark web markets, doesn't identify attacker reconnaissance (failed sign-ins that reveal which accounts exist), and doesn't catch the rare case where MFA itself is compromised (SIM swap, social engineering). The sign-in log is your visibility into what's happening at the identity perimeter — including the attacks that MFA blocked (so you can verify it's working) and the attacks that MFA didn't stop (so you can respond before damage is done).

Building your weekly sign-in review

Your Monday morning sign-in log review takes 10 minutes and covers four checks.

Common false positives you’ll learn to recognise

After a few weeks of Monday morning reviews, you’ll start recognising patterns that look suspicious but are normal for your environment. Document these so you don’t re-investigate the same patterns every week.

VPN exit nodes cause the most frequent false positives. If your organisation uses a VPN that exits in another country, sign-ins through that VPN show a foreign location. Record your VPN provider’s exit IPs and filter them mentally during reviews. With P2 and named locations, you can add these IPs as a trusted location so they stop triggering alerts.

Microsoft background service authentication generates sign-ins that look unusual but are legitimate. Services like Azure Portal, Microsoft Office, and My Apps authenticate automatically when users have browser sessions open. These appear as sign-ins from the user’s IP with unfamiliar user agents. They’re normal.

Shared device sign-ins in hot-desking environments generate patterns that resemble credential sharing — the same IP shows different users within minutes. Expected on shared workstations, suspicious from a single-user laptop.

Mobile network sign-ins show different IP addresses for the same user within short periods because mobile carriers assign IPs dynamically. A user’s phone might show three different IPs across a morning as the carrier rotates addresses. This looks like impossible travel but it’s standard mobile networking.

Document your environment’s normal patterns in a “known false positive” list. Patterns that match the list get skipped. Patterns that don’t match get investigated. The list grows over the first month and stabilises — after that, anything new that doesn’t match is genuinely worth your attention.

Check 1 — Failed sign-ins from external IPs (2 minutes): Filter by Status: Failure, then scan the IP addresses. Clusters of failures from a single IP targeting multiple accounts indicate a password spray. Clusters from a single IP targeting one account indicate brute force. Record the source IPs for threat intelligence correlation if needed.

Check 2 — Successful sign-ins from unexpected locations (3 minutes): Remove the failure filter. Add a filter for “Location” and deselect your country. Any successful sign-ins from unexpected countries require investigation — even if MFA was completed (AiTM passes MFA).

Check 3 — Legacy auth sign-ins (2 minutes): Filter by Client app → select legacy protocols. After deploying CA002 (block legacy auth), this should return zero results. If you see results, your policy has a gap or an exception is being exploited.

Check 4 — Sign-ins to admin accounts (3 minutes): Filter by User → enter each admin account UPN. Every admin sign-in should be from a known IP and known device. Any admin sign-in from an unfamiliar IP is a critical investigation.

Decision point

During your Monday sign-in review, you see a successful sign-in for a.patel@northgateeng.com from an IP address in Germany at 14:22 on Saturday. A.patel is based in the UK office and was not travelling. The MFA status shows “Satisfied by claim.” The device info shows an unregistered device. You check the audit log and see “New-InboxRule” for a.patel at 14:25. What do you do?

Option A: Contact a.patel to ask if they were in Germany.

Option B: Immediately reset a.patel’s password, revoke all sessions, delete the inbox rule, and check what the attacker accessed — then contact a.patel.

Option C: Log a ticket for the SOC team to investigate.

The correct answer is Option B. Every indicator confirms compromise: unexpected location, MFA by claim (AiTM), unknown device, and inbox rule creation within 3 minutes of sign-in. The attacker has had access since Saturday afternoon — 44 hours. Contain first: reset password, revoke sessions, delete the rule. Then investigate: what emails were the rule forwarding? What did the attacker read? Were any emails sent from the account? Contact a.patel after containment to notify them and check if they clicked a phishing link (which would explain how the AiTM was triggered).

Try it: Run your first sign-in investigation

Pick your own admin account. Navigate to entra.microsoft.com → Monitoring → Sign-in logs. Filter by your UPN. Review the last 7 days of your sign-ins.

For each sign-in, note: the IP address (is it your office or home?), the location (is it your country?), the device (is it your laptop?), the MFA status (was it completed or by claim?), and the conditional access result (did CA001 apply?).

If you see a sign-in where the conditional access result shows “Not applied” for CA001, investigate why — this is a policy gap. If all sign-ins show CA001 with “Success,” your MFA policy is working correctly for your account.

Now try filtering for failed sign-ins across all users in the last 7 days. Add a filter for “Status: Failure.” Check if any patterns emerge — clusters of failures from a single IP against multiple accounts indicate an active password spray. If you see this, your MFA enforcement is blocking the spray, but the spray reveals that your tenant is being actively targeted.

You see a successful sign-in for r.williams@northgateeng.com from an IP in Poland at 03:15 on Wednesday. MFA status shows "Satisfied by MFA" — the user completed an Authenticator app challenge. R.williams works in the UK and is not travelling. What's the most likely explanation?
It's an AiTM attack — Unlikely. AiTM attacks show "Satisfied by claim" because the proxy captures the token after MFA completes. "Satisfied by MFA" means the real user completed MFA interactively, which is harder for an AiTM proxy to achieve while the user is asleep at 03:15.
R.williams's VPN is routing through Poland — Possible but check. If r.williams uses a personal VPN that exits in Poland, this could explain the location. Ask the user.
It's definitely a compromise because the location and time are suspicious — Too definitive without investigation. The MFA was completed interactively, which complicates the compromise theory. Investigation is needed.
MFA fatigue attack — the attacker has r.williams's password and triggered push notifications until the user approved one while half-asleep at 03:15 — Most likely if verified. The attacker sprayed or stuffed the password, then triggered MFA push at 03:15 when the user was likely groggy and would approve without thinking. The "Satisfied by MFA" confirms the user completed the challenge, but the circumstances (03:15, unexpected location) suggest the approval wasn't intentional. Contact r.williams immediately. If they confirm they approved a prompt at 03:15 without understanding why, reset the password and investigate whether the attacker gained access.
Operational Artifact — Weekly Sign-In Log Review Checklist
Your Monday morning sign-in review: 10 minutes, four checks. Failed sign-ins from external IPs (spray detection), successful sign-ins from unexpected locations (compromise detection), legacy auth sign-ins (policy gap detection), and admin account sign-ins (privileged access monitoring). Filter by the last 7 days. Record any findings in your security log. Escalate confirmed compromises immediately using the procedure in AD1.9. This checklist becomes part of your standard operating procedure alongside the Defender incident queue check and the SSPR audit log review.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← Previous Next →