Azure Entra ID (formerly Azure Active Directory) Sign-In logs provide a wealth of information about user authentication activity, including who signed in, from where, and with what device. However, to truly unlock the value of this data, it's essential to analyze it effectively using KQL. Let's explore how you can leverage SquaredUp's dashboard to run KQL to analyze your Azure Entra ID Sign-In logs, identify authentication trends, detect security anomalies, and optimize your overall identity management strategy.

Dashboard walkthrough

As a disclaimer, this dashboard and article were inspired by Ruben Zimmermann's amazing blog and dashboard in SquaredUp Dashboard Server targeting the same use case. I've reproduced for SquaredUp Cloud!

We'll be using same queries that Ruben used in his blog since I think they do the job perfectly well. They all query the one table SigninLogs.

To start, deploy the Azure plugin.

After that is done, browse through the multiple data streams (which enable you to retrieve all things Azure), and select the KQL data stream.

Next, we select the correct Azure Log Analytics workspace where we're streaming these logs. I'm going to assume you've already done this bit in Azure.

In the parameters section, paste in your KQL query and that should return the data from your workspace. Choose the right visualization type based on what data you want to display on the dashboard, and you're done! Simple as that.

Repeat this process for all the tiles and there you have it – a beautiful dashboard telling you all about the SignIn activities in your tenant.

Again, shoutout to Ruben for his work on this one!

To see what other dashboards you can create, check out our dashboard gallery.