Sign-In Logs — Your Identity Telemetry

0.1 What sign-in logs are

Every identity security control you deploy in this course produces evidence in one place: the sign-in log. Every Conditional Access policy evaluation, every MFA challenge, every risk detection, every token issuance — all of it lands in the SigninLogs and related tables in your Log Analytics workspace. The sign-in log is not a monitoring tool you check when something goes wrong. It is the operational data layer that tells you whether your security controls are working, where the gaps are, and what an attacker's activity looks like when it happens.

Entra ID logs four distinct types of sign-in events. Interactive sign-ins capture a human authenticating through a browser or application. Non-interactive sign-ins capture background token refreshes and SSO activity — the silent authentication events that outnumber interactive sign-ins by 10:1 or more. Service principal sign-ins capture application-to-application authentication using client credentials. Managed identity sign-ins capture Azure resource authentication using platform-managed credentials. Each type produces a different table in Log Analytics, each with a different schema, and each reveals a different dimension of your identity security posture.

The reason this module exists before any control deployment is architectural. When you configure a Conditional Access policy in EI3, you verify it by querying the sign-in log to confirm the policy evaluated correctly. When you deploy phishing-resistant authentication in EI2, you measure adoption by counting authentication method types in the sign-in log. When you tune Identity Protection risk policies in EI5, you assess accuracy by correlating risk detections with sign-in outcomes. When you investigate a suspected compromise in EI15, the sign-in log is where the investigation starts. Every module in this course depends on your ability to read sign-in logs fluently. This module builds that fluency.

0.2 What you will learn

Twelve sections, each building a layer of sign-in log fluency. The first seven teach you to read individual fields and arrays in the sign-in record. The last five teach you to query at population scale, correlate across tables, establish baselines, and build an operational query library.

Section 1.1 — Anatomy of a Sign-In Log Entry. The complete SigninLogs schema mapped to security decisions. Every field explained not as a data dictionary entry but as an answer to a security question. What the status field tells you about authentication outcomes. What authenticationRequirement reveals about how the token was obtained. What conditionalAccessStatus means for policy enforcement.

Section 1.2 — Interactive vs Non-Interactive Sign-Ins. Why non-interactive sign-ins matter more than most practitioners realize. The difference between a user clicking "sign in" and a background token refresh that happens silently. How attackers exploit the non-interactive authentication flow — token replay appears in non-interactive logs, not interactive. How to query both tables and why monitoring only interactive sign-ins leaves 90% of authentication activity invisible.

Section 1.3 — Service Principal and Managed Identity Sign-Ins. The authentication layer that most organizations don't monitor. How applications authenticate to Microsoft Graph and Azure resources using client credentials. Why the Midnight Blizzard breach (Section 0.7) was invisible to organizations monitoring only user sign-ins.

Section 1.4 — Authentication Details Deep Dive. The AuthenticationDetails array that reveals exactly how a user proved their identity. How to distinguish phishing-resistant authentication from push notification, password-only from passwordless, and genuine MFA from "Previously satisfied" token presentation. The fields that detect AiTM token replay.

Section 1.5 — Conditional Access Evaluation in Sign-In Logs. Every sign-in records which Conditional Access policies evaluated, whether each applied or was skipped, and what the outcome was. How to use the ConditionalAccessPolicies array to verify your policies are covering the sign-ins you intended. How to find the sign-ins that bypass all policies.

Section 1.6 — Risk Signals and Identity Protection. How Identity Protection attaches risk assessments to sign-in events. The RiskLevelDuringSignIn and RiskLevelAggregated fields. What each risk detection type means — atypical travel, anonymous IP, malware-linked IP, leaked credentials. Querying risk data to assess detection accuracy before deploying risk-based policies in EI5.

Section 1.7 — Device and Location Signals. The DeviceDetail and LocationDetails objects that provide context for every sign-in. How to distinguish managed devices from unmanaged, compliant from non-compliant. How location data supports named location policies and impossible travel detection.

Section 1.8 — KQL Fundamentals for Identity Security. Moving from single-record analysis to population-level queries. summarize, count, dcount, time-series binning, and percentile calculations applied to sign-in data. The query patterns you'll reuse in every subsequent module.

Section 1.9 — Advanced Query Patterns. Time-windowed anomaly detection, session reconstruction, multi-step aggregation, and statistical deviation from baselines. The patterns that turn raw sign-in data into security intelligence — detecting spikes, identifying outliers, and measuring change over time.

Section 1.10 — Cross-Table Correlation. Joining SigninLogs with AuditLogs, IdentityInfo, and AADServicePrincipalSignInLogs to build complete pictures. The join patterns that detect multi-stage attacks — anomalous sign-in followed by role assignment, consent grant, or inbox rule creation. The correlation framework that EI13 uses for detection rules.

Section 1.11 — Building Your Sign-In Baseline. Converting raw queries into an operational baseline. Normal sign-in patterns by user, application, location, and device. Statistical thresholds for anomaly detection. The query library you'll maintain as you deploy controls — each control changes the baseline, and each change should be measurable.

Section 1.12 — The Identity Query Library. The consolidated query set for identity security operations. Queries organized by operational function: posture measurement, policy verification, risk triage, anomaly detection, and incident investigation. The library you take with you and extend throughout the course.

0.3 Why Entra ID sign-in logs are the ideal telemetry source

No other identity provider exposes this level of authentication detail in a queryable format. Every sign-in event in Entra ID records the full authentication flow: which credentials were presented, which authentication methods were used, which Conditional Access policies evaluated, what the risk assessment was, what device was used, where the sign-in originated, and what the outcome was. This telemetry is available in near-real-time through Log Analytics and Sentinel.

The four sign-in log tables — SigninLogs, AADNonInteractiveUserSignInLogs, AADServicePrincipalSignInLogs, and AADManagedIdentitySignInLogs — provide complete coverage of every authentication type. User authentication, background token refresh, application authentication, and Azure resource authentication are all captured, all queryable, and all available for detection rules.

KQL provides the analytical layer. Unlike portal-based log viewers that show individual records, KQL lets you aggregate across millions of sign-in events to calculate coverage percentages, identify population-level patterns, and detect anomalies that are invisible in individual records. A single anomalous sign-in might not trigger an alert. The same sign-in pattern across 50 accounts in 10 minutes is an active attack. KQL makes that transition from record-level to population-level analysis possible.

Defender XDR adds correlation. Sign-in events in Advanced Hunting can be joined with email events, endpoint events, and cloud app events to trace multi-stage attacks across the kill chain. An AiTM phishing email, the resulting token replay sign-in, and the subsequent inbox rule creation appear as connected events in the same query workspace.

0.4 How to get the best from this module

Work through the sections in order. Sections 1.1 through 1.7 build sign-in log literacy field by field — each section adds a new dimension of the sign-in record. Sections 1.8 and 1.9 build query fluency — the analytical patterns that turn raw records into security insights. Sections 1.10 through 1.12 build operational capability — cross-table correlation, baselines, and a reusable query library.

If you set up the lab environment in Section 0.10, run every query against your own Sentinel workspace. The queries produce real results from your developer tenant's sign-in activity, and reading your own data is how the schema becomes intuitive rather than memorized.

If you are an experienced KQL user from a DE, SOC, or IR background, the query patterns in Sections 1.8 and 1.9 may be familiar. The value for you is in the identity-specific application — which fields to project, which joins reveal multi-stage attacks, and which statistical patterns constitute an identity security baseline.

Estimated total time: 4 to 5 hours. Two to three sections per session is a comfortable pace.

0.5 Module structure

• Section 1.1 — Anatomy of a Sign-In Log Entry
• Section 1.2 — Interactive vs Non-Interactive Sign-Ins
• Section 1.3 — Service Principal and Managed Identity Sign-Ins
• Section 1.4 — Authentication Details Deep Dive
• Section 1.5 — Conditional Access Evaluation in Sign-In Logs
• Section 1.6 — Risk Signals and Identity Protection
• Section 1.7 — Device and Location Signals
• Section 1.8 — KQL Fundamentals for Identity Security
• Section 1.9 — Advanced Query Patterns
• Section 1.10 — Cross-Table Correlation
• Section 1.11 — Building Your Sign-In Baseline
• Section 1.12 — The Identity Query Library

Prerequisite: EI0 (The Identity Threat Landscape). The concepts in Sections 0.2 (authentication flows), 0.3 (security stack), and 0.5 (kill chain) are referenced throughout. Section 0.10 (lab environment) provides the Sentinel workspace where you'll run every query.

Go to Section 1.1 — Anatomy of a Sign-In Log Entry to begin.