AADManagedIdentitySignInLogs
Managed Identity Sign-In Logs Overview
Managed identities in Azure are a feature that provides Azure services with an automatically managed identity in Entra ID. This identity can be used to authenticate to any service that supports Entra ID authentication, without needing to manage any credentials, secrets, or keys manually. This table keeps a record of the sign-in of these identities.
Schema:
| Column | Type | Description |
|---|---|---|
AppId | string | Unique GUID representing the app ID in the Azure Active Directory |
AuthenticationContextClassReferences | string | The authentication contexts of the sign-in |
AuthenticationProcessingDetails | string | Provides the details associated with authentication processor |
_BilledSize | real | The record size in bytes |
Category | string | Category of the sign-in event |
ConditionalAccessPolicies | string | Details of the conditional access policies being applied for the sign-in |
ConditionalAccessStatus | string | Status of all the conditionalAccess policies related to the sign-in |
CorrelationId | string | ID to provide sign-in trail |
DurationMs | long | The duration of the operation in milliseconds |
FederatedCredentialId | string | Th identifier of an application's federated identity credential if a federated identity credential was used to sign in. |
Id | string | Unique ID representing the sign-in activity |
Identity | string | The identity from the token that was presented when you made the request. It can be a user account, system account, or service principal |
IPAddress | string | IP address of the client used to sign in |
_IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is |
Level | string | The severity level of the event |
Location | string | The region of the resource emitting the event |
LocationDetails | string | Details of the sign-in location |
OperationName | string | For sign-ins, this value is always Sign-in activity |
OperationVersion | string | The REST API version that's requested by the client |
ResourceDisplayName | string | Name of the resource that the service principal signed into |
ResourceGroup | string | Resource group for the logs |
ResourceIdentity | string | ID of the resource that the service principal signed into |
ResourceServicePrincipalId | string | Service Principal Id of the resource |
ResultDescription | string | Provides the error description for the sign-in operation |
ResultSignature | string | Contains the error code, if any, for the sign-in operation |
ResultType | string | The result of the sign-in operation can be Success or Failure |
ServicePrincipalCredentialKeyId | string | Key id of the service principal that initiated the sign-in |
ServicePrincipalCredentialThumbprint | string | Thumbprint of the service principal that initiated the sign-in |
ServicePrincipalId | string | ID of the service principal who initiated the sign-in |
ServicePrincipalName | string | Service Principal Name of the service principal who initiated the sign-in |
SourceSystem | string | The type of agent the event was collected by. For example, |
TenantId | string | The Log Analytics workspace ID |
TimeGenerated | datetime | The date and time of the event in UTC |
Type | string | The name of the table |
UniqueTokenIdentifier | string | Unique token identifier for the request |
Last updated