Entra ID Logon Security Event Monitor
Learn How to Monitor Every Entra ID Login
About the Entra ID Logon Security Event Monitor

The Entra ID Logon Security Event Monitor watches your Azure accounts for any logons or logon attempts. It can be configured to alert you about both successful and failed login attempts. It can also be set to include or exclude certain users, applications, and resources from all checks performed by the monitor.

Tips: Azure does not record logons (successful or failed) until about 5 minutes after they occur. As a result, when testing this event monitor, you might not immediately see the results.

Also note that to use this event monitor you need to have an Azure Active Directory Premium (P1 or P2) account. Azure does not support logon auditing for non-premium accounts.

Event Monitor Settings

To begin configuring this event monitor, choose the level of alert you want to receive if Azure cannot be contacted.

Connection Settings

Next, choose the alert level that will be triggered if the event monitor detects one or more failed login attempts.

Failed Login Attempts Option

For those who need to be alerted about every successful login, we've also included an option that does just that. Select the alert level you want to receive each time a user logs in.

Successful Logon Notification Option

Monitoring Options

The next few options control which users, applications, and resources will be included or excluded from checks.

The first option lets you specify a list of users that will be checked. With this option enabled, all other users will not be included in checks. If you're looking to exclude a few users from checks but keep the rest included, use the next option instead. It lets you input a list of users that won't be checked. All users not present on this list will be checked as usual.

User Check Options

The next two options let you include or exclude certain applications from the checks this event monitor performs. Just as above, choose whichever one fits your needs best. Once you select one of these two options, the other becomes disabled as they'd be redundant if used together.

Application Check Options

The final set of options for the Entra ID Logon Security Event Monitor deal with the inclusion or exclusion of resources and can be seen below:

Resource Check Options

Summary

And just like that, your new Entra ID Logon Security Event Monitor is ready to begin watching for logons or logon attempts. For more documentation on this event monitor, see its Technical Resources page. Keep an eye on the Features page to learn all about new FrameFlow features as they arrive.

More IT Monitoring Features