AADServicePrincipalSignInLogs
Service Principal Sign-In Logs Overview:
A service principal in Azure is an identity created for applications, services, or automated tools to securely access Azure resources without using a user account. It acts as a security identity that allows these entities to authenticate and perform tasks like deployments, API access, or resource management within defined permissions. Service principals enhance security by enabling precise control over resource access and are typically authenticated using certificates or secrets instead of traditional usernames and passwords. This table logs Sign-In Activity for these users.
Schema:
| Column | Type | Description |
|---|---|---|
AppId | string | Unique GUID representing the app ID in the Azure Active Directory |
AuthenticationContextClassReferences | string | The authentication contexts of the sign-in |
AuthenticationProcessingDetails | string | Provides the details associated with authentication processor |
_BilledSize | real | The record size in bytes |
Category | string | Category of the sign-in event |
ConditionalAccessPolicies | string | Details of the conditional access policies being applied for the sign-in |
ConditionalAccessStatus | string | Status of all the conditionalAccess policies related to the sign-in |
CorrelationId | string | ID to provide sign-in trail |
DurationMs | long | The duration of the operation in milliseconds |
FederatedCredentialId | string | Th identifier of an application's federated identity credential if a federated identity credential was used to sign in. |
Id | string | Unique ID representing the sign-in activity |
Identity | string | The identity from the token that was presented when you made the request. It can be a user account, system account, or service principal |
IPAddress | string | IP address of the client used to sign in |
_IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is |
Level | string | The severity level of the event |
Location | string | The region of the resource emitting the event |
LocationDetails | string | Details of the sign-in location |
OperationName | string | For sign-ins, this value is always Sign-in activity |
OperationVersion | string | The REST API version that's requested by the client |
ResourceDisplayName | string | Name of the resource that the service principal signed into |
ResourceGroup | string | Resource group for the logs |
ResourceIdentity | string | ID of the resource that the service principal signed into |
ResourceServicePrincipalId | string | Service Principal Id of the resource |
ResultDescription | string | Provides the error description for the sign-in operation |
ResultSignature | string | Contains the error code, if any, for the sign-in operation |
ResultType | string | The result of the sign-in operation can be Success or Failure |
ServicePrincipalCredentialKeyId | string | Key id of the service principal that initiated the sign-in |
ServicePrincipalCredentialThumbprint | string | Thumbprint of the service principal that initiated the sign-in |
ServicePrincipalId | string | ID of the service principal who initiated the sign-in |
ServicePrincipalName | string | Service Principal Name of the service principal who initiated the sign-in |
SourceSystem | string | The type of agent the event was collected by. For example, |
TenantId | string | The Log Analytics workspace ID |
TimeGenerated | datetime | The date and time of the event in UTC |
Type | string | The name of the table |
UniqueTokenIdentifier | string | Unique token identifier for the request |
Last updated