Microsoft 365 login history refers to the record of all user sign-in events captured by Microsoft Entra ID (formerly Azure Active Directory). Organizations need to track this activity for security monitoring, regulatory compliance, and detecting unauthorized access attempts. Reviewing login history helps identify suspicious behavior such as brute force attacks, logins from unusual geographic locations, or signs of compromised accounts.
Cloud-based working offers many advantages including collaboration, flexibility, and reduced costs, but it also comes with potentially serious security threats. It is essential, therefore, to have proper controls in place to protect the privacy and integrity of the data you store in the cloud for your own security and to comply with regulatory controls.
To ensure continuous security and compliance with Microsoft 365, you need the same level of control as you do over your on-premises systems. Tracking Microsoft 365 login activity is therefore crucial to reduce risk and mitigate damage.
The native Microsoft Entra ID (formerly Azure Active Directory) audit logs record all logon events, but the entries are not easy to filter leaving you with a large volume of information to process manually. Additionally, native log retention is limited—free tier accounts retain sign-in logs for only 7 days, while Microsoft Entra ID Premium extends this to 30 days.
In addition to the monitoring of Office 365 login history, it will also be necessary to store and access your Microsoft 365 login audit trail for several years. Using the native reports, you can only track activity for short periods of time meaning that if you don’t want to lose visibility into login activity, you have to constantly export data and store it.
A more straightforward solution to this native approach is to use the Lepide Auditor for Office 365. This solution enables you to generate reports of both successful and failed attempts to login to Microsoft Entra ID. Trusted locations can be filtered out to display only the information you are looking for, providing an efficient way to monitor logons. And log files can be kept indefinitely meaning that you do not have to keep exporting and storing your data.
Here are two ways to detect logons in Microsoft Entra ID:
- Using the Microsoft 365 Admin Center
- Using the Lepide Auditor for Office 365
Check Login History Using Microsoft 365 Admin Center
Follow the below steps to view Sign-ins:
- Navigate to the Microsoft 365 Admin Center and log in with your administrator credentials.
- Select Show All from the left-hand side menu if Admin Centers are not visible.
- Click Azure Active Directory (Microsoft Entra ID) under Admin Centers.
- Select Users, then click All Users.
- Click on the specific user(s) you want to view sign-ins for.
- Select Sign-in logs from the menu
- Review the results displayed. Use the Add filters option to refine results by date, status, or location.
Note: The login history information may take up to 24 hours to appear in the activity log.
Check Login History Using the Lepide Auditor
An alternative method to check login history in Office 365 is to use the All Environment Changes Report from the Lepide Auditor for Microsoft 365. Our solution can detect logons outside of trusted locations in Microsoft Entra ID.
- This report is listing all login activity for Microsoft Entra ID for a specified time period
- The report can be sorted, filtered, saved, and exported
