Queries for the ACREntraAuthenticationAuditLog table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Microsoft Entra authentication audit log

Logging Microsoft Entra authentication audit events.

source
| project
    TimeGenerated = todatetime(['time']),
    Location = location,
    OperationName = operationName,
    CacheName = tostring(properties.tenant),
    Message = tostring(properties.message),
    Authentication = tostring(properties.authentication),
    Username = tostring(properties.username),
    IpAddress = tostring(properties.ipAddress),
    ClientId = tostring(properties.clientId),
    ClientName = tostring(properties.clientName),
    Lifetime = tostring(properties.lifetime),
    RoleInstance = toint(properties.roleInstance)