Azure AD Sign-In Logs
Identify Conditional Access, MFA, and modern auth issues using sign-in log evidence.
⚠️ Business Consequence: Why This Matters
- Financial Impact: Rapid incident diagnosis = reduced MTTR ($5K–$15K saved per incident)
- Compliance Exposure: Sign-in logs = audit evidence for SOC 2/ISO 27001 access controls
- Operational Risk: Failed authentication analysis prevents mass user lockouts
- Security Intelligence: Anomaly detection enables breach prevention (lateral movement, credential stuffing)
Log analysis time: 3–5 minutes — accelerates incident resolution.
🚀 Before You Start
15-25 minutes to locate root cause in sign-in logs
Entra ID global admin or Security Reader role
Read-only diagnostics. No changes to authentication policies.
Azure portal access, Entra ID Sign-in Logs, affected user email
⚠️ Unable to locate the issue? Request Exchange Security Assessment for guided analysis.
Sign-In Logs: Quick Reference
- Purpose: Track all authentication attempts to Exchange Online
- Retention: 30 days (free), 90 days (Premium P1)
- Access: Azure AD Admin, Global Reader, or Security Reader role
- Best for: Conditional Access blocks, MFA failures, token expiry, device compliance issues
Critical Columns for Exchange Diagnostics
These columns identify the root cause of authentication failures:
| Column | What to Look For | Examples |
|---|---|---|
| Status | Success (green) or Failure (red) | Success, Interrupted |
| Result | Error code explaining failure | 53003 (CA blocked), 50076 (MFA required) |
| Conditional Access | Which policy blocked access | Failure (MFA required but unsupported) |
| Client App | Which app made the request | Outlook, Mobile Apps, Browser |
| Device Compliance | Device registration status | Compliant, Non-compliant, Unknown |
Common Error Codes
- 53003: Blocked by CA policy. Check policy conditions and user device status
- 50076: MFA required but not provided. User needs app password or re-authenticate with MFA
- 50058: Session expired. User needs to sign in again
- 53000: Device not compliant. Enroll device in Intune or adjust CA policy
Step-by-Step: Diagnosing Authentication Issues
Follow this workflow to identify why users cannot access Exchange:
Step 1: Open Azure AD Sign-In Logs (1 min)
- Sign in to Azure Portal → Azure Active Directory → Sign-in logs
- Set date range to the time of issue (usually last 24 hours)
Step 2: Filter by User & Application (2 min)
- Click "Add filters" → User → Select affected user
- Add filter: "Application" → "Outlook" or "Office 365 Exchange Online"
- Set time ±15 minutes around reported issue
Step 3: Analyze Failures (3-5 min)
- Look for entries with Status = "Failure" (red icon)
- Click each failed entry to see detailed view
- Check "Result" column for error code (53003 = CA blocked, 50076 = MFA required)
- Review "Conditional Access" tab to see which policy blocked access
- Check "Device Compliance" status if policy requires it
Step 4: Match to Outlook Behavior
- Status = Success: Should work; try clearing Outlook cache if user reports issues
- Status = Failure, Result = 53003: CA policy is blocking; review policy conditions
- Status = Failure, Result = 50076: MFA required but not provided; give user app password
- No entries found: Client not reaching Azure AD; check network or Outlook autodiscover
FAQs
Which roles can access sign-in logs?
Azure AD Admin, Global Reader, or Security Reader roles can access sign-in logs.
What error code indicates CA blocking?
53003 typically indicates a Conditional Access policy blocked the request.
How do I diagnose repeated MFA prompts?
Filter for 50076; review CA requirements and check client app and device compliance status.
No entries found—what does that mean?
The client may not be reaching Azure AD; verify network connectivity and Autodiscover configuration.