Sign In
In this module

EI1.1 Anatomy of a Sign-In Log Entry

60-80 minutes · Module 1 · Free
Operational Objective
A Defender XDR alert fires: "Unfamiliar sign-in properties." You open the sign-in log entry and see dozens of fields — UserPrincipalName, AppDisplayName, IPAddress, Location, DeviceDetail, ResultType, ConditionalAccessStatus, RiskLevelDuringSignIn, AuthenticationDetails, and more. You need to understand what every security-relevant field contains, what the values mean, and which fields answer which investigation questions — so you can assess this alert in under two minutes.
Deliverable: The ability to read any sign-in log entry and immediately extract the security-relevant information: who signed in, from where, with what authentication method, what conditional access decided, and whether Identity Protection flagged it as risky.
⏱ Estimated completion: 18 minutes

The sign-in log as your primary instrument

Every identity security operation in this course — every policy verification, every anomaly detection, every attack indicator — depends on the sign-in log. It is the single data source that records every authentication attempt against your Entra ID tenant. Before you deploy conditional access policies (EI3), before you configure Identity Protection (EI5), before you build detection rules (EI13), you need to read sign-in logs the way a pilot reads instruments: fluently, without hesitation, knowing what each indicator means and what action each value demands.

The Entra ID sign-in log records every authentication event — successful and failed, interactive and non-interactive, user and service principal. A typical M365 tenant with 1,000 users generates thousands of sign-in events per day. The volume is not the challenge. The challenge is knowing which fields matter for security, what the values mean in context, and how to query the data at scale.

There are four separate sign-in log tables in Entra ID, each recording a different category of authentication event. This subsection covers the fields that are common across all four tables. Subsequent subsections cover the differences between the log types and the specialized fields in each.

The fields that answer security questions

Every sign-in log entry contains dozens of fields, but for identity security work, a core set answers the questions that matter. Here is each field, what it contains, and the security question it answers.

UserPrincipalName is the identity that authenticated — the email address format (user@domain.com) that uniquely identifies the account. This answers the most basic question: whose account was used? In a compromise investigation, this is the starting point for every query. Note that this field reflects the account as it exists in the directory, not necessarily the email address the user typed at the login page — if the user has aliases, the UPN is the canonical identifier.

Expand for Deeper Context

UserDisplayName is the human-readable name associated with the account. Less useful for querying (display names are not unique) but useful for quickly identifying the person in a list of results.

AppDisplayName identifies the application the user was accessing — "Microsoft Teams," "Office 365 Exchange Online," "Azure Portal," "Microsoft Graph Explorer," or a third-party application name. This answers: what was the user trying to access? An attacker who replays a stolen token typically targets Outlook Web Access or Microsoft Graph first to access email and files. Seeing Graph API access from an account that normally only uses Teams and Outlook is an anomaly worth investigating.

AppId is the application's unique identifier (a GUID). AppDisplayName can be spoofed in custom application registrations — an attacker could register an application called "Microsoft Security Update" to disguise malicious activity. AppId is the reliable identifier. The well-known AppIds for Microsoft first-party applications are documented and can be used in detection rules to distinguish first-party access from third-party application access.

IPAddress is the IP address the authentication request originated from. This answers: where did this sign-in come from? An attacker replaying a token from a different country produces a sign-in from an unexpected IP. Note that this is the public IP — if the user is behind a corporate proxy or NAT, all users behind that proxy share the same IP in the logs. VPN exit nodes also mask the true origin. IPAddress is a useful signal but not a definitive identifier.

Location is the geographic information derived from the IP address — it includes city, state, and countryOrRegion fields. The location data is derived from IP geolocation databases, which are accurate at the country level and approximately accurate at the city level but should not be treated as precise. Location is most useful for detecting sign-ins from countries where your organization has no operations.

SIGN-IN LOG ENTRY — SECURITY FIELDS WHO UserPrincipalName · UserDisplayName · UserId Which account was used? WHAT AppDisplayName · AppId · ResourceDisplayName · ResourceId What were they accessing? WHERE IPAddress · Location (city, state, countryOrRegion) Where did this come from? HOW DeviceDetail · ClientAppUsed · AuthenticationDetails · MfaDetail How did they authenticate? OUTCOME ResultType · ResultDescription · ConditionalAccessStatus What happened? Was it allowed? RISK RiskLevelDuringSignIn · RiskLevelAggregated · RiskDetail · RiskEventTypes_V2 Was this suspicious?
Figure EI1.1 - Anatomy of a Sign-In Log Entry

DeviceDetail is an object containing information about the device used for the sign-in — the operating system, browser, device ID (if the device is registered with Entra ID), whether the device is compliant, and whether it is managed. This answers: what device was used? An attacker replaying a stolen token from their own machine will show a different device than the user's registered device. If the user normally signs in from a Windows 11 machine enrolled in Intune and the suspicious sign-in shows a Linux machine with no device registration, that is a strong indicator of compromise.

ClientAppUsed identifies the client application protocol — "Browser," "Mobile Apps and Desktop Clients," "Exchange ActiveSync," "Other clients," and legacy protocols like "IMAP," "POP3," "SMTP," and "Authenticated SMTP." This field is critical for detecting legacy authentication usage. If you have blocked legacy authentication in conditional access (as EI4 teaches), this field verifies the block is working. If you see "IMAP" or "POP3" in successful sign-ins, your legacy authentication block has a gap.

ResultType is a numeric code that indicates the outcome of the authentication attempt. ResultType 0 means success. Every other value represents a specific failure reason. The most important ResultType codes for identity security are: 50126 (invalid username or password — the most common code in password spray attacks), 50074 (strong authentication required — the user was prompted for MFA), 50076 (MFA required but not completed), 53003 (access blocked by conditional access), 530032 (blocked by security defaults), and 500121 (authentication failed during strong authentication — the user failed MFA). A complete reference of security-relevant ResultType codes is provided in the module summary.

ResultDescription provides a human-readable explanation of the ResultType code. Useful for quick triage but less reliable for programmatic querying than the numeric code.

ConditionalAccessStatus is one of three values: "success" (access was granted after conditional access evaluation), "failure" (access was blocked by conditional access), or "notApplied" (no conditional access policy matched this sign-in). The "notApplied" value is the one that should alarm you — it means this sign-in was not evaluated by any conditional access policy. If you are building a Zero Trust architecture (EI0.7), every sign-in should be evaluated by at least one policy. A "notApplied" result represents a gap in your policy coverage.

RiskLevelDuringSignIn is the risk level that Identity Protection assigned to this specific sign-in at the time it occurred — "none," "low," "medium," or "high." This is the real-time risk assessment. An attacker replaying a stolen token might trigger "medium" (unfamiliar sign-in properties) or "high" (anomalous token) depending on how different the sign-in context is from the user's baseline.

RiskLevelAggregated is the overall risk level of the user account at the time of the sign-in, considering all recent risk detections — not just this specific sign-in. A user with multiple low-risk sign-ins over a short period may have an aggregated risk of "medium" even if each individual sign-in was "low."

RiskDetail explains what action was taken (or could be taken) based on the risk assessment — "none," "aiConfirmedSigninSafe" (Identity Protection's AI determined the sign-in was safe), "userPassedMFADrivenByRiskBasedPolicy" (the user completed MFA prompted by a risk-based policy), "adminConfirmedSigninCompromised" (an admin confirmed the sign-in was malicious), and others.

RiskEventTypes_V2 lists the specific risk detections that were triggered — "unfamiliarFeatures," "anonymizedIPAddress," "maliciousIPAddress," "impossibleTravel," "anomalousToken," "tokenIssuerAnomaly," and others. This is the most specific risk information in the sign-in log and is essential for understanding why Identity Protection flagged a sign-in.

The first query: reading your own sign-in log

Before diving deeper into the specialized fields, run this query in your Sentinel workspace to see the core fields for recent sign-ins in your developer tenant:

// EI1.1 — Core sign-in log fields for security assessment
// Run this in your Sentinel workspace (Logs blade)
// Requires: diagnostic settings configured (EI0.9)
SigninLogs
| where TimeGenerated > ago(24h)
| project 
    TimeGenerated,
    UserPrincipalName,              // WHO — which account
    AppDisplayName,                  // WHAT — which application
    IPAddress,                       // WHERE — source IP
    Location = tostring(LocationDetails.city),  // WHERE — city
    Country = tostring(LocationDetails.countryOrRegion),  // WHERE — country
    DeviceOS = tostring(DeviceDetail.operatingSystem),    // HOW — device OS
    ClientApp = ClientAppUsed,       // HOW — client type
    ResultType,                      // OUTCOME — success/failure code
    ConditionalAccessStatus,         // OUTCOME — CA decision
    RiskLevelDuringSignIn,           // RISK — real-time risk
    AuthenticationRequirement        // HOW — single factor or MFA
| order by TimeGenerated desc
| take 50

Run this query and examine the results. Every row is a sign-in event. Every column is a security signal. By the end of this module, you will be able to look at any row and immediately assess whether it is normal, suspicious, or a confirmed indicator of compromise.

Beyond this module
The IR course's IR8 (M365 Identity Compromise Investigation) teaches you to use these same fields for investigation after a compromise is confirmed. This module teaches you to use them for prevention — verifying that your controls are working and detecting anomalies before they become incidents. The fields are the same; the operational purpose differs.

Try it yourself

Try It — Read Your First Sign-In Log Entry

Environment: Your M365 developer tenant with Sentinel workspace (configured in EI0.9).

Exercise: Run the query above in your Sentinel workspace. Find a sign-in event for your admin account. For that single event, answer these questions:

1. What application were you accessing? (AppDisplayName) 2. What IP address did the sign-in come from? (IPAddress) 3. What device were you using? (DeviceOS) 4. Was the sign-in evaluated by conditional access? (ConditionalAccessStatus) 5. Was the sign-in flagged as risky? (RiskLevelDuringSignIn) 6. Was MFA required? (AuthenticationRequirement)

If any of these fields is empty or null, that is information too — it tells you that the data source for that field is not configured or that the sign-in type does not populate that field. EI1.2 explains which log types populate which fields.

⚠ Compliance Myth: "We review sign-in logs weekly, so we will catch any compromise"

The myth: Our security team reviews the sign-in logs every Monday. We will see any suspicious activity during the weekly review.

The reality: The AiTM attack in EI0.8's case study 1 progressed from initial access to BEC wire fraud in under thirty minutes. A weekly log review would discover this attack four to seven days after the $47,000 payment was sent to the attacker. By that point, the money is unrecoverable, the attacker's persistence mechanisms are deeply embedded, and the investigation scope has expanded significantly. Sign-in log monitoring must be real-time — through Sentinel analytics rules that fire on suspicious patterns as they occur (EI13), not through manual human review on a weekly schedule. Manual review is useful for posture assessment and trend analysis (EI14), but it is not a detection mechanism.

📋 Investigation Artifact — Sign-In Log Field Reference

Bookmark this reference for quick field lookups during this course:

Sign-In Log — Security-Critical Fields

Identity: UserPrincipalName, UserDisplayName, UserId

Application: AppDisplayName, AppId, ResourceDisplayName, ResourceId

Location: IPAddress, Location (city, state, countryOrRegion)

Device: DeviceDetail (OS, browser, deviceId, isCompliant, isManaged)

Client: ClientAppUsed, UserAgent

Authentication: AuthenticationDetails, MfaDetail, AuthenticationRequirement

Outcome: ResultType (0=success), ResultDescription, Status

Conditional Access: ConditionalAccessStatus, ConditionalAccessPolicies (array)

Risk: RiskLevelDuringSignIn, RiskLevelAggregated, RiskDetail, RiskEventTypes_V2

Correlation: CorrelationId (links related events), UniqueTokenIdentifier

Key ResultType codes:

- 0 — Success

- 50126 — Invalid username or password (password spray indicator at volume)

- 50074 — MFA required (user redirected to MFA)

- 50076 — MFA required but not completed

- 53003 — Blocked by conditional access

- 530032 — Blocked by security defaults

- 500121 — Failed MFA attempt

- 50053 — Account locked (smart lockout triggered)

- 50057 — Account disabled

Compliance mapping: Sign-in log monitoring supports SOC 2 CC6.1 (Logical Access), ISO 27001 A.12.4 (Logging and Monitoring), and NIST CSF DE.AE-3 (Event Data Collection).

Decision point

A sign-in log shows a successful authentication from an IP in a country where NE has no employees. MFA was satisfied by push notification. The user says they approved the MFA prompt while traveling. Do you accept this explanation?

Verify, do not accept at face value. Check: does the user have a travel request on file? Does the IP geo-location match the claimed travel destination? Does the device fingerprint match the user's enrolled device? Are there other sign-ins from NE's corporate IP in the same time window (which would indicate the user is NOT traveling)? An attacker who stole credentials and is bombarding the user with MFA prompts (MFA fatigue) gets the same 'I approved it' response from a confused user. The investigation confirms or refutes the travel explanation within 5 minutes.

A sign-in log shows: ResultType 0 (success), MfaDetail 'satisfied by claim', ConditionalAccessStatus 'success', IPAddress from a residential proxy in Nigeria. The user's normal sign-in pattern is UK corporate IPs only. What is the most likely explanation?
The user is traveling to Nigeria for business.
AiTM session token theft. The combination of MFA-by-claim (not interactive MFA challenge), residential proxy IP (not corporate), and successful CA evaluation (the token contains the MFA assertion) is the AiTM signature. The attacker captured the session token via an AiTM proxy, which includes the MFA claim. The token is then replayed from the attacker's infrastructure. Action: immediate session revocation, MFA method audit, and CA policy assessment (why did the compliant device policy not block this?).
The user's VPN is routing through a Nigerian exit node.
Identity Protection would have blocked this if it were truly malicious.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've mapped the identity threat landscape and learned to read sign-in logs.

EI0 established that every cloud attack starts with identity. EI1 took you through the signal that matters most — interactive, non-interactive, service principal, and managed identity sign-ins. Now you engineer the defences.

  • 17 engineering modules — authentication methods, conditional access architecture, Identity Protection, PIM, token protection, application governance, and detection rules
  • The Defense Design Method — the six-step framework applied to every identity control you'll build
  • EI18 Capstone — Identity Security Architecture Design — design complete identity architectures for three realistic organisations (SMB, mid-market, regulated enterprise)
  • Identity Security Toolkit lab pack — deployable conditional access policies, PIM configurations, and Identity Protection risk rules
  • Cross-domain detection (EI16) — email-to-identity correlation and the full phishing-to-inbox-rule attack chain
Unlock the full course with Premium See Full Syllabus
← Previous Next →