Application Activity Report in Azure AD

Sometimes, it is necessary to monitor organizational activities keenly to keep them away from serious exploitation. I am pretty sure that every organization might depend on at least one application to manage the entire Office 365 infrastructure. These applications can be used to administer simple to more complex tasks. Following the risky user activities, it is imperative to supervise Azure AD application activities. As an act of achieving this, Microsoft has brought in Azure AD application activity reports. This feature is now available for public preview within the Azure Active Directory ‘Usage and Insights’.

As an admin, it is necessary to check user activities on a regular basis. M365 auditing makes this simple. However, most admins prefer PowerShell scripts for auditing over Audit logs due to its efficiency. As most attackers these days target sign-in activities to intrude into your organization, it is necessary to monitor user activities reports such as login history and last logon time to keep things on the right track. To ease these monitoring processes, admins may go for Azure AD applications. As same as the user activity is taken into account, Azure AD application activity is also another factor to consider.

With this new preview feature, admins can now generate report on application activities with info on successful sign-ins and failed sign-ins, success rate percentages, etc. Thereby, users can find answers to the following questions.

• What are the top used applications in my organization?
• What applications have the most failed sign-ins?
• What are the top sign-in errors for each application?

Users with roles such as Global Administrator, Security Administrator, Security Reader, or Report Reader with Azure AD premium (P1/P2) license can access the Usage & Insights app activity report in Azure.

Step:1 Sign in to the Azure Portal.

Step:2 Go to Azure Active Directory.

Step:3 Under ‘Monitoring’ select ‘Usage and Insights’.

Step:4 Then, Select Azure AD Application Activity.

Using this report, you can obtain the number of successful sign-ins, failed sign-ins, and the success rate of the applications. The ‘Date range’ dropdown allows you to filter the activity by weeks or by months. Applications are displayed randomly and you can use the ‘sort arrow’ to arrange the columns in ascending or descending order.

The search box can be used to search applications by name or object ID.

For each app, from the View sign in activity option, you can observe the detailed list of the sign-in activities.

The above line graph projects the successful sign-ins and failed sign-ins for the selected application using blue and pink lines. You can also filter the activity by date from the dropdown provided.

The Sign-in failures within the page give complete information on the failed sign-ins such as the error details, code, occurrences, and the last seen.

Microsoft’s report on Azure AD app activity is limited to sign-in data. Yet another excellent tool that replaces the experience with its 600+ out-of-the-box Office 365 auditing reports is AdminDroid’s Office 365 Reporter Tool.

So, what are the other application activity reports extended by this tool? In addition, it has a detailed chart view for applications with maximum and minimum successful sign-ins and sign-in interrupts report with sign-in summaries. For interactive sign-ins, it holds data for sign-in time, sign-in user, sign-in application name, MFA status, city, and much more.

That’s all about the Azure AD application activity report that is in public preview now. We will update the blog once the feature is generally available. Stay tuned for more!

Feel free to reach us in the comments for any assistance.