Azure VPN User access logs

Question

How to get distinct O365 users list who have accessed Azure VPN

Answer 1

Hi 365admin

To retrieve a distinct list of Office 365 (Azure AD) users who have accessed your Azure VPN, you need to first enable the VPN Gateway diagnostic logs and ensure that these logs are sent to a Log Analytics workspace. If you are using Azure AD authentication for Azure VPN P2S, verify that the VPN is configured with Azure AD credentials. Then, run a KQL query in Log Analytics to extract distinct users from the Azure Diagnostics table:

AzureDiagnostics | where ResourceType == "VPNGATEWAYS" | where Category == "P2SDiagnosticLog"  | where OperationName == "UserAuthentication" | extend User = tostring(parse_json(Properties).userPrincipalName) | where isnotempty(User) | summarize Count = count() by User | project User, Count

Refer: P2SDiagnosticLog

You can also try to check the Azure AD Sign-in logs or events to get the list the VPN users. For this,

please navigate to Microsoft Entra ID >> Monitoring >> Sign-in logs and then filter for VPN connections using the below KQL query:

SigninLogs | where AppId == "xxxx3e61-6xxe-4xx5-bxx7-cd054exxxxx4"  // Azure VPN App ID | where Status.errorCode == 0  // Successful sign-ins | project UserPrincipalName, IPAddress, DeviceDetail, TimeGenerated | summarize Count = count() by UserPrincipalName | sort by Count desc

Refer: How to access the activity logs in the Microsoft Entra admin center

---

If above is unclear and/or you are unsure about something add a comment below.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.