You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: "Working with the authentication methods usage report API"
3
-
description: "The authentication methods usage report helps you understand how users in your organization are using Microsoft Entra authentication capabilities such as self-service password reset and multifactor authentication (MFA)."
3
+
description: "Authentication methods activity reports provides information on the registration and usage of authentication methods in your tenant."
The authentication methods usage reports help you understand how users in your organization are using [Microsoft Entra authentication capabilities](../resources/authenticationmethods-overview.md)such as multifactor authentication (MFA), Self-Service Password Reset (SSPR), and Passwordless authentication.
19
+
Authentication methods activity reports provides information on the registration and usage of [authentication methods](../resources/authenticationmethods-overview.md)in your tenant.
18
20
19
21
These reports provide information such as:
20
22
21
23
- How many users are registered for each authentication method
22
-
- How many users are registered for features such as multifactor authentication (MFA), Self-Service Password Reset (SSPR), and Passwordless authentication.
23
-
- The failure rates of each authentication method
24
+
- How many users are registered for features such as multifactor authentication (MFA), Self-Service Password Reset (SSPR), and passwordless authentication.
25
+
- The failure rates of each authentication method
26
+
27
+
These reports are available on the Microsoft Entra portal through **Protection** tab group > **Authentication methods** tab > **Activity** tab under the *Monitoring* tab group.
24
28
25
29
## Licenses
26
30
27
-
A Microsoft Entra ID P1 or P2 license is required to access usage and insights. Microsoft Entra multifactor authentication and self-service password reset (SSPR) licensing information can be found on the [Microsoft Entra pricing site](https://azure.microsoft.com/pricing/details/active-directory/).
31
+
A Microsoft Entra ID P1 or P2 license is required to access authentication methods usage and insights reports. Microsoft Entra multifactor authentication and self-service password reset (SSPR) licensing information can be found on the [Microsoft Entra pricing site](https://www.microsoft.com/security/business/microsoft-entra-pricing).
28
32
29
-
## Common requests
33
+
## Available reports
30
34
31
-
The following table lists some common requests that you can use with this API.
35
+
The following reports are available through Microsoft Graph:
36
+
- Users registered and capable of self-service password reset (SSPR) and Azure multifactor authentication (MFA). For more information, see the [credentialUserRegistrationCount resource type](../resources/credentialuserregistrationcount.md).
37
+
- SSPR usage activity. For more information, see the [userCredentialUsageDetails resource type](../resources/usercredentialusagedetails.md).
38
+
- Tenant-level summary of user SSPR activity, including failure and successes. For more information, see the [credentialUsageSummary resource type](../resources/credentialusagesummary.md).
39
+
- Per-user report of the status of their authentication methods including the default methods, whether registered for MFA, SSPR, and a passwordless authentication method, and so on. For more information, see the [userRegistrationDetails resource type](../resources/userRegistrationDetails.md).
40
+
- Count of users registered, enabled, and capable of using MFA, SSPR, and passwordless authentication. For more information, see the [usersRegisteredByFeature resource type](../resources/userregistrationfeaturesummary.md).
41
+
- Raw count of users registered for email, password, and phone authentication methods. For more information, see the [usersRegisteredByMethod resource type](../resources/userregistrationmethodsummary.md).
42
+
- (**Deprecated.** Use the [userRegistrationDetails resource type](../resources/userRegistrationDetails.md) instead) Per-user registration and usage details for different authentication methods, SSPR, and MFA. For more information, see the [credentialUserRegistrationDetails resource type](../resources/credentialuserregistrationdetails.md).
32
43
33
-
| Operation | Try in Graph Explorer | Description |
34
-
| --------- | --- | ----------- |
35
-
|[getCredentialUserRegistrationcount](../resources/credentialuserregistrationcount.md)|[GET /credentialuserregistrationcount](https://developer.microsoft.com/graph/graph-explorer?request=reports/getCredentialUserRegistrationcount()&version=beta)| Get the number of users registered for self-service password reset and MFA. |
36
-
|[getCredentialUsageSummary](../resources/credentialusagesummary.md)|[GET /credentialusagesummary](https://developer.microsoft.com/graph/graph-explorer?request=reports/getCredentialUsageSummary&version=beta)| Get the number of users using self-service password reset. |
37
-
|[credentialUserRegistrationDetails (deprecated)](../resources/credentialuserregistrationdetails.md)|[GET /credentialuserregistrationdetails](https://developer.microsoft.com/graph/graph-explorer?request=reports/credentialUserRegistrationDetails&version=beta)| Get the user details for self-service password reset and MFA registration activities. |
38
-
|[userCredentialUsageDetails](../resources/usercredentialusagedetails.md)|[GET /usercredentialusagedetails](https://developer.microsoft.com/graph/graph-explorer?request=reports/userCredentialUsageDetails&version=beta)| Get user details for all self-service password reset activities. |
39
-
|[usersRegisteredByFeature](../resources/userregistrationfeaturesummary.md)|[GET /authenticationMethods/usersRegisteredByFeature](https://developer.microsoft.com/graph/graph-explorer?request=reports/authenticationMethods/usersRegisteredByFeature(includedUserTypes='all',includedUserRoles='all')&version=beta)| Get the number of users capable of multifactor authentication, self-service password reset and passwordless authentication. |
40
-
|[usersRegisteredByMethod](../resources/userregistrationmethodsummary.md)|[GET /authenticationMethods/usersRegisteredByMethod](https://developer.microsoft.com/graph/graph-explorer?request=reports/authenticationMethods/usersRegisteredByMethod(includedUserTypes='all',includedUserRoles='all')&version=beta)| Get the number of users registered for each authentication method. |
41
-
|[userRegistrationDetails](../resources/userRegistrationDetails.md)|[GET /authenticationMethods/userRegistrationDetails](https://developer.microsoft.com/graph/graph-explorer?request=reports/authenticationMethods/userRegistrationDetails&version=beta)| Get the MFA registration details for all users. |
42
44
43
45
## Related content
44
46
45
-
- Learn how to [deploy Microsoft Entra self-service password reset](/azure/active-directory/authentication/howto-sspr-deployment).
46
-
- Learn how to deploy [Microsoft Entra multifactor authentication](/azure/active-directory/authentication/howto-mfa-getstarted).
47
-
- Learn how to enable [combined security info registration](/azure/active-directory/authentication/howto-registration-mfa-sspr-combined).
description: "Use the activity reports API in Microsoft Graph to access the reports that Microsoft Entra creates to help you track user activity in a tenant."
2
+
title: "Audit logs API overview"
3
+
description: "Access audit logs using Microsoft Graph APIs to track user activity in a tenant, integrate with third-party SIEM tools, and remain compliant."
Microsoft Entra ID tracks user activity and creates reports that help you understand how your users access and use Microsoft Entra services. Use the Microsoft Graph API for Microsoft Entra to analyze the data in these reports and to create custom solutions tailored to your organization's specific needs.
17
+
Microsoft Entra provides an audit trail of all user and app activity in your tenant to help you track all activities in your tenant and also be compliant. These logs include both app and user sign in activity, as well as changes to the directory.
18
18
19
-
The availability of these activity reports is governed by the Microsoft Entra data retention policies. For more information, see [data retention policies](/azure/active-directory/reports-monitoring/reference-reports-data-retention#how-long-does-azure-ad-store-the-data).
19
+
The availability of these activity reports is governed by the [Microsoft Entra data retention policies](/entra/identity/monitoring-health/reference-reports-data-retention#how-long-does-azure-ad-store-the-data).
20
20
21
-
## What are activity reports?
22
-
23
-
Microsoft Entra provides four types of activity reports:
24
-
25
-
- Directory audit logs
26
-
- Custom security attribute audit logs
27
-
- Sign-ins
28
-
- Provisioning
21
+
## Available audit logs
29
22
30
23
### Directory audit logs
31
24
32
-
The directory audit report provides you with access to the history of every task performed in your tenant. The directory audit report provides you with records of system activities for compliance. Amongst others, the provided data enables you to address common scenarios such as:
25
+
The [directory audit logs](../resources/directoryaudit.md) provide you with access to the history of every task performed in your tenant, either by a user or a service. Amongst others, the provided data enables you to address common scenarios such as:
33
26
34
27
- Who granted admin group access to a directory user?
35
28
- Which users are signing in to a recently acquired app?
36
29
- How many passwords resets were made within the directory?
37
30
38
31
### Custom security attribute audit logs
39
32
40
-
Custom security attribute audit logs provide you with the history of activities related to custom security attributes, such as adding a new definition or assigning an attribute value to a user. Custom security attribute audit logs are separate from directory audit logs and have a different endpoint. To view custom security attribute audit logs, you must be assigned the Attribute Log Reader or Attribute Log Administrator role. By default, a Global Administrator doesn't have access to these audit logs.
33
+
[Custom security attribute audit logs](../resources/customsecurityattributeaudit.md) provide you with the history of activities related to [custom security attributes](../resources/custom-security-attributes-overview.md), such as adding a new definition or assigning an attribute value to a user. Custom security attribute audit logs are separate from directory audit logs and have a different endpoint. To view custom security attribute audit logs, you must be assigned the Attribute Log Reader or Attribute Log Administrator role. By default, a Global Administrator doesn't have access to these audit logs.
41
34
42
35
### Sign-ins
43
36
44
-
The sign-ins report helps you determine who performed the tasks reported by directory audit logs. The sign-ins report helps you answer questions like:
37
+
The [sign-in logs](../resources/signin.md) help you determine who or what performed the tasks reported by directory audit logs. The logs include interactive user sign-ins, non-interactive user sign-ins, service principal sign-ins, and managed identity sign-ins.
38
+
39
+
The sign-ins report helps you answer questions like:
45
40
46
41
- What is the sign in pattern of a user?
47
42
- How many users have signed in during the last week?
48
43
- What's the status of these sign-ins?
49
44
50
45
### Provisioning
51
46
52
-
The provisioning report helps you see all the actions performed by the Microsoft Entra provisioning service. The provisioning report helps you answer questions like:
47
+
The [provisioning logs](../resources/provisioningobjectsummary.md) help you see all the actions performed by the Microsoft Entra provisioning service. The provisioning report helps you answer questions like:
53
48
54
49
- What groups were successfully created in ServiceNow?
55
50
- What roles were imported from Amazon Web Services?
@@ -59,21 +54,17 @@ The provisioning report helps you see all the actions performed by the Microsoft
59
54
60
55
Here are popular requests for working with report data:
61
56
62
-
Operation | URL
63
-
:----------|:----
64
-
GET tenant user activities | [https://graph.microsoft.com/beta/auditLogs/directoryAudits](https://developer.microsoft.com/graph/graph-explorer?request=auditLogs/directoryAudits&version=beta)
65
-
GET custom security attribute audit logs | [https://graph.microsoft.com/beta/auditLogs/customSecurityAttributeAudits](https://developer.microsoft.com/graph/graph-explorer?request=auditLogs/customSecurityAttributeAudits&version=beta)
66
-
GET tenant user sign-ins | [https://graph.microsoft.com/beta/auditLogs/signIns](https://developer.microsoft.com/graph/graph-explorer?request=auditLogs/signIns&version=beta)
67
-
GET provisioning logs | [https://graph.microsoft.com/beta/auditLogs/provisioning](https://developer.microsoft.com/graph/graph-explorer?request=auditLogs/Provisioning&version=beta)
57
+
|Operation | URL|
58
+
|--|--|
59
+
|GET tenant user activities |[https://graph.microsoft.com/beta/auditLogs/directoryAudits](https://developer.microsoft.com/graph/graph-explorer?request=auditLogs/directoryAudits&version=beta)|
Activity reports are available for features that you've licensed. If you have a license for a specific feature, you also have access to the reports. For more information about license requirements for the different activity reports, see [Microsoft Entra audit logs: License and role requirements](/entra/identity/monitoring-health/concept-audit-logs#license-and-role-requirements).
72
67
73
68
## Related content
74
69
75
-
- Start working with the following resources representing the different activity reports:
0 commit comments