Entra ID Monitoring: MFA, SSO, Conditional Access, and User Management Guide 2026

Getting to the right log type is the foundation of everything else. In the Microsoft Entra admin center at entra.microsoft.com, expand the left navigation to Identity > Monitoring & health. You'll see four primary options: Audit logs, Sign-in logs, Provisioning logs, and Usage & insights.

Use Audit logs when your question is about configuration changes, who granted access to an admin group, who modified an app registration, which Conditional Access policy was changed and when. The audit log captures every task performed in your tenant with a timestamp, the actor who performed it, the target resource, and the operation type. Filter by Activity using the dropdown to scope to a specific action category like "User management" or "Application management."

Use Sign-in logs when your question is about authentication, a specific user can't sign in, MFA is prompting unexpectedly, SSO is redirecting incorrectly, or you need to understand the sign-in pattern of a specific account. The sign-in logs have sub-tabs at the top: User sign-ins (interactive), User sign-ins (non-interactive), Service principal sign-ins, and Managed identity sign-ins. Non-interactive sign-ins, often invisible to the end user, are where token refresh failures and app-to-app auth problems hide.

Use Provisioning logs when you've connected a third-party HR or SaaS app (Workday, ServiceNow, Adobe, SAP SuccessFactors) to Entra ID for automated user lifecycle management and need to verify what the provisioning engine did. Filter by Status (Success / Failure / Skipped) and by the Action (Create / Update / Delete / Disable) to narrow down quickly.

Once you've loaded the right log type, use the Add filters button to add targeted columns: User (UPN or display name), Application, Status (Success/Failure/Interrupted), IP address, or Location. If a specific sign-in failure is reported by a user, the fastest filter combination is User + Date + Status:Failure. The matching entries usually appear within seconds.

If you see the table populated, you're in good shape. If it's blank after applying a filter and reasonable date range, move to Step 2, you likely have a permissions or diagnostic settings gap.

The default in-portal log retention in Entra ID is 30 days for sign-in logs and audit logs. For most security and compliance scenarios, that's nowhere near enough. Configuring diagnostic settings is how you route log data to a long-term destination before it expires.

Navigate to Identity > Monitoring & health > Diagnostic settings. Click + Add diagnostic setting. Give it a descriptive name like EntraLogs-AzureMonitor-Prod.

Under Category groups, check the log categories you want to capture. For full Entra ID Monitoring coverage, select all of: AuditLogs, SignInLogs, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, ManagedIdentitySignInLogs, and ProvisioningLogs. Don't skip the non-interactive and service principal categories, that's exactly where app authentication failures and token expiry issues show up.

Under Destination details, choose one or more of the following:

• Send to Log Analytics workspace, best option for querying with KQL and building Azure Monitor Workbooks
• Archive to a storage account, best for long-term compliance archival at low cost
• Stream to an event hub, required for routing to third-party SIEM tools like Splunk, Sentinel, or QRadar

If you're using Microsoft Sentinel, select Stream to an event hub and configure the Sentinel data connector on the Sentinel side to consume from that hub. The Microsoft Entra data connector in Sentinel can also be configured to pull logs directly from the API if you prefer that approach over event hub streaming.

Click Save. Diagnostic settings take effect within about 15 minutes. After that window, new log events start flowing to your chosen destination. Note: this setting does not backfill historical data. Only events generated after the diagnostic setting is saved will appear in your destination.

# Verify diagnostic settings are active via Azure CLI
az monitor diagnostic-settings list \
  --resource /tenants/{tenantId}/providers/microsoft.aadiam \
  --resource-type Microsoft.Aad/Iam

Once configured, you should see data flowing into your Log Analytics workspace within 15–30 minutes. Run a quick test KQL query like SigninLogs | take 10 in the Log Analytics workspace to confirm ingestion is working.

This is where most of the real investigative work happens. When a user reports they're being blocked by MFA or Conditional Access, the sign-in logs tell you exactly what happened, you just need to know where to look.

Go to Identity > Monitoring & health > Sign-in logs > User sign-ins (interactive). Filter by the user's UPN and set the date range to cover when the failure occurred. Find the failed sign-in entry, it'll show a red Failure status badge.

Click the entry to open the detail pane. Work through these tabs in order:

Basic info tab: Confirms the user, app, client app type (browser vs. modern auth client), IP, location, and timestamp. Check the Sign-in error code field. Common codes you'll encounter:

• AADSTS50076, MFA required by policy, user didn't complete it
• AADSTS50158, External security challenge not satisfied (often third-party MFA)
• AADSTS53003, Access blocked by Conditional Access policy
• AADSTS70011, Invalid scope, the requested scope is not valid for this application
• AADSTS90072, User account doesn't exist in this tenant (common with guest account SSO failures)

Conditional Access tab: Lists every CA policy that evaluated against this sign-in. Each shows: the policy name, whether it applied, and the result. If a policy shows Failure, expand it to see the specific grant control that wasn't met, Require MFA, Require compliant device, Require hybrid Azure AD joined device, etc.

If you see Report-only in the policy result, that policy is in test mode, it evaluated but didn't actually block anything. This is expected if the policy is being piloted before enforcement.

Authentication details tab: Shows each step of the authentication sequence and whether it succeeded. This is where you see exactly which MFA method was attempted (Microsoft Authenticator push, TOTP, SMS, etc.) and whether the user completed it, timed out, or denied the request. If a user says "I never got the push notification," the authentication details will show whether the Authenticator request was even sent.

// KQL, Find all Conditional Access failures in the last 7 days
SigninLogs
| where TimeGenerated > ago(7d)
| where ConditionalAccessStatus == "failure"
| project TimeGenerated, UserPrincipalName, AppDisplayName, 
          ConditionalAccessStatus, ResultDescription, 
          IPAddress, Location
| order by TimeGenerated desc

If the KQL query above returns results in your Log Analytics workspace, your diagnostic settings are working correctly and you have full visibility into CA failures across the tenant.

The audit log is your paper trail for every administrative action taken in the tenant. When someone shows up in an admin group they shouldn't be in, or an app starts misbehaving after a configuration change, this is where the answer lives.

Go to Identity > Monitoring & health > Audit logs. The key filters here are:

• Date range, set to cover the window when the change could have happened
• Category, use "UserManagement" for role and group changes, "ApplicationManagement" for app registration changes, "Policy" for Conditional Access policy changes
• Activity, use the search box to type the specific operation, e.g., "Add member to role" or "Update application"
• Initiated by (actor), filter by the account you suspect made the change
• Target, filter by the specific user, group, or app that was changed

Every audit log entry shows you four critical pieces: the Activity (what operation ran), the Initiated by (who or what ran it, this could be a user, a service principal, or a Microsoft internal service), the Target(s) (what was affected), and the Modified properties section inside the entry detail which shows the before and after values for any changed attribute.

One scenario I see constantly: someone escalates that a user was added to the Global Administrator role without going through proper change control. In the audit log, filter Category: RoleManagement, Activity: Add member to role, then click into the matching entry. The Modified properties section shows the role that was assigned and the exact UPN of the account that performed the assignment. You have your answer in under a minute.

For app changes, filter Category: ApplicationManagement and look for activities like Update application, Add owner to application, or Add credentials to application (this last one is important, new client secrets or certificates added to an app registration is a significant security signal).

# Pull audit logs via Microsoft Graph, all role assignment changes in last 48 hours
GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits
  ?$filter=activityDateTime ge 2026-04-19T00:00:00Z
  and category eq 'RoleManagement'
  and activityDisplayName eq 'Add member to role'
  &$orderby=activityDateTime desc
  &$top=50

If you need audit log data older than 30 days and haven't set up diagnostic settings yet, the data is unfortunately gone from the in-portal view. This is exactly why setting up a Log Analytics workspace or storage account destination (Step 2) matters so much, do it before you need it.

Beyond the raw logs, Entra ID Monitoring includes a proactive recommendations engine that analyzes your tenant configuration daily and flags gaps against Microsoft security best practices. I've found this feature catches misconfigurations that IT teams don't even know to look for.

Navigate to Identity > Overview > Recommendations. Microsoft Entra ID runs a daily analysis of your tenant configuration and surfaces actionable items ranked by impact. Each recommendation includes a description of the issue, a summary of why it matters, a step-by-step action plan, and, critically, a list of impacted resources so you know exactly which accounts, apps, or policies the recommendation applies to.

Common recommendations you'll see in most tenants include:

• Enable MFA for all users, lists every account that doesn't have an MFA method registered
• Remove unused credentials from applications, flags app registrations with expired or orphaned client secrets
• Convert per-user MFA to Conditional Access MFA, older tenants that enabled MFA at the per-user level (in the legacy MFA portal) should move to CA-based MFA for better control
• Migrate to Microsoft Authenticator from SMS, surfaces users still relying on SMS-based MFA
• Review and clean inactive user accounts, accounts that haven't signed in for 90+ days

For Identity Secure Score (now surfaced inside Entra Recommendations), you'll see a numeric score out of 100 that reflects your tenant's overall security posture. Each improvement action shows the point value you'd gain by completing it, useful for prioritizing where to spend your time.

Microsoft Entra Health (separate from recommendations) provides global SLA attainment data and health signals for key scenarios like MFA, password reset, and device registration. Go to Identity > Monitoring & health > Microsoft Entra Health to see whether service-level issues on Microsoft's side are contributing to authentication failures you're investigating.

# Pull recommendations via Microsoft Graph
GET https://graph.microsoft.com/beta/directory/recommendations
  ?$filter=status eq 'active'
  &$orderby=priority asc

Work through active recommendations systematically, start with the highest-priority ones, use the provided action plan, and mark each as Completed or Dismissed with reason so your recommendation list stays actionable rather than cluttered.