Sign In
In this module

Sign-In Logs — Your Identity Telemetry

60-80 minutes · Module 1 · Free

Every identity security control you deploy in this course produces evidence in one place: the sign-in log. Every conditional access policy evaluation, every MFA challenge, every risk detection, every token issuance — all of it lands in the SigninLogs and AADNonInteractiveUserSignInLogs tables. If you cannot read these logs fluently, you cannot verify that your controls work, you cannot detect when they fail, and you cannot investigate when an attacker finds a gap.

This module teaches you to read sign-in logs the way an experienced identity security engineer reads them — not for investigation (that is the IR course) but for security posture assessment, policy validation, and anomaly detection. Every subsequent module in this course uses sign-in log queries to verify that the controls you deploy are actually enforcing.

You will learn every security-relevant field in the sign-in log entry, the authentication details array that reveals exactly how a user proved their identity, the conditional access evaluation that shows which policies applied and what they decided, and the risk signals that Identity Protection attaches to suspicious sign-ins. You will then build a baseline of normal sign-in behavior for your environment — the foundation that makes every detection and monitoring technique in this course possible.

Defense Design Method

What attack does this stop? → The threat, named and mapped to MITRE ATT&CK. Not a vague risk category — the specific technique an attacker would use against your environment.

Where is the control configured? → The exact location — portal path, PowerShell command, Graph API endpoint. No ambiguity.

How should it be designed? → The policy logic. Who it applies to, what conditions trigger it, what exceptions are needed, and why each design decision exists.

How do you verify it works? → The KQL query against sign-in logs or audit logs that proves the control is active and enforcing. Trust but verify.

What does it look like when it fails? → The log entry, the alert, the audit event that tells you something got through. This bridges to detection.

What do you do next? → The remediation action, the escalation path, and the connection to the IR course for full investigation when prevention fails.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've mapped the identity threat landscape and learned to read sign-in logs.

EI0 established that every cloud attack starts with identity. EI1 took you through the signal that matters most — interactive, non-interactive, service principal, and managed identity sign-ins. Now you engineer the defences.

  • 17 engineering modules — authentication methods, conditional access architecture, Identity Protection, PIM, token protection, application governance, and detection rules
  • The Defense Design Method — the six-step framework applied to every identity control you'll build
  • EI18 Capstone — Identity Security Architecture Design — design complete identity architectures for three realistic organisations (SMB, mid-market, regulated enterprise)
  • Identity Security Toolkit lab pack — deployable conditional access policies, PIM configurations, and Identity Protection risk rules
  • Cross-domain detection (EI16) — email-to-identity correlation and the full phishing-to-inbox-rule attack chain
Unlock the full course with Premium See Full Syllabus
← Previous Next →