What are the identity logs you can stream to an endpoint?

Using Microsoft Entra diagnostic settings, you can route activity logs to several endpoints for long term retention and data insights. You select the logs you want to route, then select the endpoint.

This article describes the logs that you can route to an endpoint with Microsoft Entra diagnostic settings.

Log streaming requirements and options

Setting up an endpoint, such as an event hub or storage account, might require different roles and licenses. To create or edit a new diagnostic setting, you need a user who's a Security Administrator for the Microsoft Entra tenant.

To help decide which log routing option is best for you, see How to access activity logs. The overall process and requirements for each endpoint type are covered in the following articles:

Activity log options

The following logs can be routed to an endpoint for storage, analysis, or monitoring.

Audit logs

The AuditLogs report capture changes to applications, groups, users, and licenses in your Microsoft Entra tenant. Once you routed your audit logs, you can filter or analyze by date/time, the service that logged the event, and who made the change. For more information, see Audit logs.

Sign-in logs

The SignInLogs send the interactive sign-in logs, which are logs generated by your users signing in. Sign-in logs are generated when users provide their username and password on a Microsoft Entra sign-in screen or when they pass an MFA challenge. For more information, see Interactive user sign-ins.

Non-interactive sign-in logs

The NonInteractiveUserSIgnInLogs are sign-ins done on behalf of a user, such as by a client app. The device or client uses a token or code to authenticate or access a resource on behalf of a user. For more information, see Non-interactive user sign-ins.

Service principal sign-in logs

If you need to review sign-in activity for apps or service principals, the ServicePrincipalSignInLogs might be a good option. In these scenarios, certificates or client secrets are used for authentication. For more information, see Service principal sign-ins.

Managed identity sign-in logs

The ManagedIdentitySignInLogs provide similar insights as the service principal sign-in logs, but for managed identities, where Azure manages the secrets. For more information, see Managed identity sign-ins.

Provisioning logs

If your organization provisions users through a non-Microsoft application such as Workday or ServiceNow, you might want to export the ProvisioningLogs reports. For more information, see Provisioning logs.

AD FS sign-in logs

Sign-in activity for Active Directory Federated Services (AD FS) applications are captured in this Usage and insight reports. You can export the ADFSSignInLogs report to monitor sign-in activity for AD FS applications. For more information, see AD FS sign-in logs.

Risky users

The RiskyUsers logs identify users who are at risk based on their sign-in activity. This report is part of Microsoft Entra ID Protection and uses sign-in data from Microsoft Entra ID. For more information, see What is Microsoft Entra ID Protection?.

User risk events

The UserRiskEvents logs are part of Microsoft Entra ID Protection. These logs capture details about risky sign-in events. For more information, see How to investigate risk.

Network access traffic logs

The NetworkAccessTrafficLogs are associated with Microsoft Entra Internet Access and Microsoft Entra Private Access. The logs are visible in Microsoft Entra ID, but selecting this option doesn't add new logs to your workspace unless your organization is using Microsoft Entra Internet Access and Microsoft Entra Private Access to secure access to your corporate resources. For more information, see What is Global Secure Access?.

Risky service principals

The RiskyServicePrincipals logs provide information about service principals that Microsoft Entra ID Protection detected as risky. Service principal risk represents the probability that an identity or account is compromised. These risks are calculated asynchronously using data and patterns from Microsoft's internal and external threat intelligence sources. These sources might include security researchers, law enforcement professionals, and security teams at Microsoft. For more information, see Securing workload identities.

Service principal risk events

The ServicePrincipalRiskEvents provide details around the risky sign-in events for service principals. These logs might include any identified suspicious events related to the service principal accounts. For more information, see Securing workload identities.

Enriched Microsoft 365 audit logs

The EnrichedOffice365AuditLogs are associated with the enriched logs you can enable for Microsoft Entra Internet Access. Selecting this option doesn't add new logs to your workspace unless your organization is using Microsoft Entra Internet to secure access to your Microsoft 365 traffic and you enabled the enriched logs. For more information, see How to use the Global Secure Access enriched Microsoft 365 logs.

Microsoft Graph activity logs

The MicrosoftGraphActivityLogs provide administrators full visibility into all HTTP requests accessing your tenant's resources through the Microsoft Graph API. You can use these logs to identify activities that a compromised user account conducted in your tenant or to investigate problematic or unexpected behaviors for client applications, such as extreme call volumes. Route these logs to the same Log Analytics workspace with SignInLogs to cross-reference details of token requests for sign-in logs. For more information, see Access Microsoft Graph activity logs.

Remote network health logs

The RemoteNetworkHealthLogs provide insights into the health of your remote network configured through Global Secure Access. Selecting this option doesn't add new logs to your workspace unless your organization is using Microsoft Entra Internet Access and Microsoft Entra Private Access to secure access to your corporate resources. For more information, see Remote network health logs.

Custom security attribute audit logs

The CustomSecurityAttributeAuditLogs are configured in the Custom security attributes section of diagnostic settings. These logs capture changes to custom security attributes in your Microsoft Entra tenant. To view these logs in the Microsoft Entra audit logs, you need the Attribute Log Reader role. To route these logs to an endpoint, you need the Attribute Log Administrator role and the Security Administrator.