Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Reference for SigninLogs table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Azure Resources, Security |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Lake-Only Ingestion | ✓ Yes (source) |
| Azure Monitor Tables Reference | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| AADTenantId | string | |
| Agent | dynamic | The agentic property for sign in logs. Includes the agentType and the parentAppId when the type is AgenticInstance. |
| AlternateSignInName | string | The identification that the user provided to sign in. It may be the userPrincipalName but it's also populated when a user signs in using other identifiers. |
| AppDisplayName | string | The application name displayed in the Azure Portal. |
| AppId | string | The application identifier in Azure Active Directory. |
| AppliedConditionalAccessPolicies | string | |
| AppliedEventListeners | dynamic | Detailed information about the listeners, such as Azure Logic Apps and Azure Functions, that were triggered by the corresponding events in the sign-in event. |
| AppOwnerTenantId | string | The tenant identifier of the owenr of the application in Azure Active Directory. |
| AuthenticationAppDeviceDetails | string | Details of the app and device state used during the most recent authentication step using an authentication app. |
| AuthenticationAppPolicyEvaluationDetails | string | The details of the policies applied and enforced related to the authentication app during the latest signIn step. |
| AuthenticationContextClassReferences | string | Contains a collection of values that represent the conditional access authentication contexts applied to the sign-in. |
| AuthenticationDetails | string | The result of the authentication attempt and additional details on the authentication method. |
| AuthenticationMethodsUsed | string | The authentication methods used. Possible values: SMS, Authenticator App, App Verification code, Password, FIDO, PTA, or PHS. |
| AuthenticationProcessingDetails | string | Additional authentication processing details, such as the agent name in case of PTA/PHS or Server/farm name in case of federated authentication. |
| AuthenticationProtocol | string | Lists the protocol type or grant type used in the authentication. The possible values are: none, oAuth2, ropc, wsFederation, saml20, deviceCode. For authentications that use protocols other than the possible values listed, the protocol type is listed as none. |
| AuthenticationRequirement | string | This holds the highest level of authentication needed through all the sign-in steps, for sign-in to succeed. |
| AuthenticationRequirementPolicies | string | Sources of authentication requirement, such as conditional access, per-user MFA, identity protection, and security defaults. |
| AuthenticatorAppLocation | string | The location of the authenticator app. |
| AutonomousSystemNumber | string | The Autonomous System Number (ASN) of the network used by the actor. |
| Category | string | |
| ClientAppUsed | string | The legacy client used for sign-in activity. For example: Browser, Exchange ActiveSync, Modern clients, IMAP, MAPI, SMTP, or POP. |
| ClientCredentialType | string | The type of client credential used. Examples include client assertion, client secret, etc. |
| ConditionalAccessAudiences | string | The audiences targeted by the conditional access policy. |
| ConditionalAccessPolicies | dynamic | A list of conditional access policies that are triggered by the corresponding sign-in activity. |
| ConditionalAccessStatus | string | The status of the conditional access policy triggered. Possible values: success, failure, or notApplied. |
| CorrelationId | string | The identifier that's sent from the client when sign-in is initiated. This is used for troubleshooting the corresponding sign-in activity when calling for support. |
| CreatedDateTime | datetime | The date and time the sign-in was initiated. The Timestamp type is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| CrossTenantAccessType | string | Describes the type of cross-tenant access used by the actor to access the resource. |
| DeviceDetail | dynamic | The device information from where the sign-in occurred. Includes information such as deviceId, OS, and browser. |
| DurationMs | long | |
| FederatedCredentialId | string | Federated Credential Id. |
| FlaggedForReview | bool | During a failed sign in, a user may click a button in the Azure portal to mark the failed event for tenant admins. If a user clicked the button to flag the failed sign in, this value is true. |
| GlobalSecureAccessIpAddress | string | Global secure IP address that user signed in from. |
| HomeTenantId | string | The tenant identifier of the user initiating the sign in. Not applicable in Managed Identity or service principal sign ins. |
| HomeTenantName | string | The tenant name of the external tenant who homes the entitity taking action in the customer's tenant. |
| Id | string | The identifier representing the sign-in activity. |
| Identity | string | The display name of the actor identified in the signin. |
| IncomingTokenType | string | The type of token utilized to signIn (examples: primary refresh token, saml assertion). |
| IPAddress | string | The IP address of the client from where the sign-in occurred. |
| IPAddressFromResourceProvider | string | The IP address a user used to reach a resource provider, used to determine Conditional Access compliance for some policies. For example, when a user interacts with Exchange Online, the IP address Exchange receives from the user may be recorded here. This value is often null. |
| IsInteractive | bool | Indicates whether a user sign in is interactive. In interactive sign in, the user provides an authentication factor to Azure AD. These factors include passwords, responses to MFA challenges, biometric factors, or QR codes that a user provides to Azure AD or an associated app. In non-interactive sign in, the user doesn't provide an authentication factor. Instead, the client app uses a token or code to authenticate or access a resource on behalf of a user. Non-interactive sign ins are commonly used for a client to sign in on a user's behalf in a process transparent to the user. |
| IsRisky | bool | |
| IsTenantRestricted | bool | Indicates if a signIn is under a tenant restrictions policy or not. |
| IsThroughGlobalSecureAccess | bool | Displays whether or not a user came through Global Secure Access service or not. |
| Level | string | |
| Location | string | The 2 letter country code from where the sign-in occurred. Depending on IP address provided, this value may not always resolve to a city or region level of detail. |
| LocationDetails | dynamic | Provides the city, state, country/region and latitude and longitude from where the sign-in happened. |
| MfaDetail | dynamic | This property is deprecated. |
| NetworkLocationDetails | string | The network location details including the type of network used and its names. |
| OperationName | string | |
| OperationVersion | string | |
| OriginalRequestId | string | The request identifier of the first request in the authentication sequence. |
| OriginalTransferMethod | string | Transfer method used to initiate a session throughout all subsequent requests. |
| ProcessingTimeInMilliseconds | string | |
| Resource | string | |
| ResourceDisplayName | string | The name of the resource that the user signed in to. |
| ResourceGroup | string | |
| ResourceId | string | The identifier of the resource that the user signed in to. |
| ResourceIdentity | string | The resource that the user signed in to. |
| ResourceOwnerTenantId | string | The tenant identifier of the owner of the resource referenced in the sign in. |
| ResourceProvider | string | |
| ResourceServicePrincipalId | string | The identifier of the service principal representing the target resource in the sign-in event. |
| ResourceTenantId | string | The tenant identifier of the resource referenced in the sign in. |
| ResultDescription | string | Provides the error message or the reason for failure for the corresponding sign-in activity. |
| ResultSignature | string | |
| ResultType | string | Provides the 5-6 digit error code that's generated during a sign-in event. 0 indicates success; other values are failures. You can find more information using the Azure AD Error Codes documentation or https://login.microsoftonline.com/error. |
| RiskDetail | string | The reason behind a specific state of a risky user, sign-in, or a risk event. Possible values: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, or adminConfirmedSigninCompromised. The value none means that no action has been performed on the user or sign-in so far. Note: Details for this property are only available for Azure AD Premium P2 customers. All other customers are returned hidden. |
| RiskEventTypes | string | This property is deprecated. |
| RiskEventTypes_V2 | string | The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, or generic. |
| RiskLevel | string | |
| RiskLevelAggregated | string | The aggregated risk level. Possible values: none, low, medium, high, or hidden. The value hidden means the user or sign-in was not enabled for Azure AD Identity Protection. Note: Details for this property are only available for Azure AD Premium P2 customers. All other customers are returned hidden. |
| RiskLevelDuringSignIn | string | The risk level during sign-in. Possible values: none, low, medium, high, or hidden. The value hidden means the user or sign-in was not enabled for Azure AD Identity Protection. Note: Details for this property are only available for Azure AD Premium P2 customers. All other customers are returned hidden. |
| RiskState | string | The risk state of a risky user, sign-in, or a risk event. Possible values: none, confirmedSafe, remediated, dismissed, atRisk, or confirmedCompromised. |
| ServicePrincipalId | string | The application identifier used for sign-in. This field is populated when you are signing in using an application. |
| ServicePrincipalName | string | The application name used for sign-in. This field is populated when you are signing in using an application. |
| SessionId | string | Id of the session that was generated during the signIn. |
| SessionLifetimePolicies | string | Any conditional access session management policies that were applied during the sign-in event. |
| SignInIdentifier | string | The identification that the user provided to sign in. It may be the userPrincipalName but it's also populated when a user signs in using other identifiers. |
| SignInIdentifierType | string | The type of sign in identifier. Possible values are: userPrincipalName, phoneNumber, proxyAddress, qrCode, onPremisesUserPrincipalName. |
| SourceAppClientId | string | The Source App's Client ID for Target Identities. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| Status | dynamic | The sign-in status. Includes the error code and description of the error (in case of a sign-in failure). |
| TimeGenerated | datetime | |
| TokenIssuerName | string | The name of the identity provider. For example, sts.microsoft.com. |
| TokenIssuerType | string | The type of identity provider. The possible values are: AzureAD, or ADFederationServices, AzureADBackupAuth, ADFederationServicesMFAAdapter, NPSExtension. |
| TokenProtectionStatusDetails | dynamic | Token protection creates a cryptographically secure tie between the token and the device it's issued to. This field indicates whether the signin token was bound to the device or not. |
| Type | string | The name of the table |
| UniqueTokenIdentifier | string | A unique base64 encoded request identifier used to track tokens issued by Azure AD as they are redeemed at resource providers. |
| UserAgent | string | The user agent information related to sign-in. |
| UserDisplayName | string | The display name of the user. |
| UserId | string | The identifier of the user. |
| UserPrincipalName | string | The UPN of the user. |
| UserType | string | Identifies whether the user is a member or guest in the tenant. Possible values are: member and guest. |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Entra ID |
In solution Apache Log4j Vulnerability Detection:
| Analytic Rule | Selection Criteria |
|---|---|
| Log4j vulnerability exploit aka Log4Shell IP IOC | |
| User agent search for log4j exploitation attempt |
In solution FalconFriday:
| Analytic Rule | Selection Criteria |
|---|---|
| Expired access credentials being used in Azure | |
| Microsoft Entra ID Rare UserAgent App Sign-in | |
| Microsoft Entra ID UserAgent OS Missmatch |
In solution GitLab: ResultType == "0"
| Analytic Rule |
|---|
| GitLab - SSO - Sign-Ins Burst |
In solution Lastpass Enterprise Activity Monitoring:
| Analytic Rule | Selection Criteria |
|---|---|
| Failed sign-ins into LastPass due to MFA |
In solution Lumen Defender Threat Feed:
| Analytic Rule | Selection Criteria |
|---|---|
| Lumen TI IPAddress in SigninLogs |
In solution Microsoft Business Applications:
| Analytic Rule | Selection Criteria |
|---|---|
| Dataverse - Suspicious use of Web API | ResourceIdentity == "00000007-0000-0000-c000-000000000000" |
| F&O - Unusual sign-in activity using single factor authentication | NetworkLocationDetails !has "trustedNamedLocation"ResultType == "0" |
| Power Apps - App activity from unauthorized geo | |
| Power Platform - Possibly compromised user accesses Power Platform services |
In solution Microsoft Defender XDR:
| Analytic Rule | Selection Criteria |
|---|---|
| Unusual Volume of file deletion by users |
In solution Microsoft Entra ID:
| Analytic Rule | Selection Criteria |
|---|---|
| Anomalous sign-in location by user account and authenticating application | |
| Brute force attack against an Entra-authenticated Windows device | AppDisplayName == "Windows Sign In" |
| External guest invitation followed by Microsoft Entra ID PowerShell signin | |
| MFA Rejected by User | ResultType == "500121" |
| MFA Spamming followed by Successful login | AuthenticationRequirement == "multiFactorAuthentication" |
| Password spray attack against Microsoft Entra ID Seamless SSO | |
| Possible SignIn from Azure Backdoor | OperationName == "Add unverified domain" |
In solution MicrosoftPurviewInsiderRiskManagement: RiskState == "atRisk"
| Analytic Rule |
|---|
| Insider Risk_Risky User Access By Application |
In solution Multi Cloud Attack Coverage Essentials - Resource Abuse:
| Analytic Rule | Selection Criteria |
|---|---|
| Cross-Cloud Password Spray detection | |
| Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login | |
| High-Risk Cross-Cloud User Impersonation | AppDisplayName in "ADFS Trust,Azure Portal,Microsoft Azure PowerShell"RiskLevelAggregated == "high"RiskLevelDuringSignIn == "high" |
| Unauthorized user access across AWS and Azure |
In solution SecurityThreatEssentialSolution:
| Analytic Rule | Selection Criteria |
|---|---|
| Possible AiTM Phishing Attempt Against Microsoft Entra ID |
In solution Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map IP Entity to SigninLogs | |
| TI map Email entity to SigninLogs |
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map IP Entity to SigninLogs | |
| TI map Email entity to SigninLogs |
In solution Business Email Compromise - Financial Fraud:
| Hunting Query | Selection Criteria |
|---|---|
| Login attempts using Legacy Auth | |
| Microsoft Entra ID signins from new locations | |
| Risky Sign-in with new MFA method | OperationName == "Update user" |
| Successful Signin From Non-Compliant Device | ResultType == "0" |
| User Accounts - Unusual authentications occurring when countries do not conduct normal business operations. | |
| User Login IP Address Teleportation | AppDisplayName == "Office 365 Exchange Online"ConditionalAccessStatus == "success" |
In solution Cloud Identity Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Detect Disabled Account Sign-in Attempts by Account Name | ResultDescription == "User account is disabled. The account has been disabled by an administrator."ResultType == "50057" |
| Detect Disabled Account Sign-in Attempts by IP Address | ResultDescription == "User account is disabled. The account has been disabled by an administrator."ResultType == "50057" |
| Sign-ins From VPS Providers | ResultType == "0" |
| Sign-ins from Nord VPN Providers | ResultType == "0" |
| Suspicious Sign-ins to Privileged Account |
In solution Lastpass Enterprise Activity Monitoring:
| Hunting Query | Selection Criteria |
|---|---|
| Failed sign-ins into LastPass due to MFA. | |
| Login into LastPass from a previously unknown IP. |
In solution Microsoft 365:
| Hunting Query | Selection Criteria |
|---|---|
| SharePointFileOperation via devices with previously unseen user agents | |
| SharePointFileOperation via previously unseen IPs |
In solution Microsoft Business Applications:
| Hunting Query | Selection Criteria |
|---|---|
| Dataverse - Activity after failed logons | ResultType in "50125,50140,70043,70044" |
| Dataverse - Generic client app used to access production environments | ResourceIdentity == "00000007-0000-0000-c000-000000000000"ResultType == "0" |
| Dataverse - Identity management changes without MFA | AuthenticationRequirement == "singleFactorAuthentication"ResourceIdentity == "00000007-0000-0000-c000-000000000000"ResultType == "0" |
In solution Microsoft Defender XDR:
| Hunting Query | Selection Criteria |
|---|---|
| Unusual Volume of file deletion by users |
In solution MicrosoftPurviewInsiderRiskManagement:
| Hunting Query | Selection Criteria |
|---|---|
| Insider Risk_Sign In Risk Followed By Sensitive Data Access |
In solution SecurityThreatEssentialSolution: ResultType == "0"
| Hunting Query |
|---|
| Threat Essentials - Signins From VPS Providers |
| Threat Essentials - Signins from Nord VPN Providers |
In solution UEBA Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Anomalous Failed Logon | |
| Anomalous Sign-in by New or Dormant Account | RiskDetail != "none" |
In solution Windows Server DNS:
| Hunting Query | Selection Criteria |
|---|---|
| Solorigate Encoded Domain in URL |
In solution 1Password:
| Workbook | Selection Criteria |
|---|---|
| 1Password |
In solution Apache Log4j Vulnerability Detection:
| Workbook | Selection Criteria |
|---|---|
| Log4jPostCompromiseHunting |
In solution AzureSecurityBenchmark:
| Workbook | Selection Criteria |
|---|---|
| AzureSecurityBenchmark |
In solution ContinuousDiagnostics&Mitigation:
| Workbook | Selection Criteria |
|---|---|
| ContinuousDiagnostics&Mitigation |
In solution CybersecurityMaturityModelCertification(CMMC)2.0: AuthenticationRequirement == "multiFactorAuthentication"
| Workbook |
|---|
| CybersecurityMaturityModelCertification_CMMCV2 |
In solution DPDP Compliance:
| Workbook | Selection Criteria |
|---|---|
| DPDPCompliance |
In solution GDPR Compliance & Data Security:
| Workbook | Selection Criteria |
|---|---|
| GDPRComplianceAndDataSecurity |
In solution Global Secure Access:
| Workbook | Selection Criteria |
|---|---|
| GSANetworkTraffic |
In solution HIPAA Compliance: AuthenticationRequirement == "multiFactorAuthentication"
| Workbook |
|---|
| HIPAACompliance |
In solution Lastpass Enterprise Activity Monitoring:
| Workbook | Selection Criteria |
|---|---|
| LastPassWorkbook |
In solution Lumen Defender Threat Feed:
| Workbook | Selection Criteria |
|---|---|
| Lumen-Threat-Feed-Overview |
In solution MaturityModelForEventLogManagementM2131: AppDisplayName in "Azure Active Directory PowerShell,Microsoft Azure CLI"AppDisplayName contains "ACOM"AppDisplayName contains "CLI"AppDisplayName contains "PowerShell"AppDisplayName contains "command"AppDisplayName contains "graph"
| Workbook |
|---|
| MaturityModelForEventLogManagement_M2131 |
In solution Microsoft Entra ID:
| Workbook | Selection Criteria |
|---|---|
| AzureActiveDirectorySignins | |
| ConditionalAccessSISM | OperationName in "Add conditional access policy,Add member to group,Add member to restricted management administrative unit,Delete conditional access policy,Remove member from group,Remove member from restricted management administrative unit,Update conditional access policy,Update group" |
In solution MicrosoftPurviewInsiderRiskManagement: AppDisplayName contains "Portal"
| Workbook |
|---|
| InsiderRiskManagement |
In solution NISTSP80053:
| Workbook | Selection Criteria |
|---|---|
| NISTSP80053 |
In solution SOC Handbook: AppDisplayName == "Windows Sign In"
| Workbook |
|---|
| InvestigationInsights |
In solution SOX IT Compliance: OperationName has_any "Add directory role member,Add member to role,Add user,Create user,Role assignment,Update user"OperationName has_any "directory write,policy update,role assignment,role update"
| Workbook |
|---|
| SOXITCompliance |
In solution Teams: AppDisplayName startswith "Microsoft Teams"ResultDescription != "Other"ResultType == "0"ResultType !in "0,50140"
| Workbook |
|---|
| MicrosoftTeams |
In solution ThreatAnalysis&Response:
| Workbook | Selection Criteria |
|---|---|
| DynamicThreatModeling&Response |
In solution Windows Firewall: ResultType == "0"ResultType != "0"
| Workbook |
|---|
| WindowsFirewall |
In solution ZeroTrust(TIC3.0): AppDisplayName has_any "teams"
| Workbook |
|---|
| ZeroTrustTIC3 |
| Parser | Schema | Product | Selection Criteria |
|---|---|---|---|
| ASimAuthenticationSigninLogs | Authentication | Microsoft Entra ID |
This table collects data from the following Azure resource types:
microsoft.graph/tenantsReferences by type: 0 connectors, 32 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ResultType == "0" |
- | 6 | - | - | 6 |
AuthenticationRequirement == "multiFactorAuthentication" |
- | 3 | - | - | 3 |
AppDisplayName == "Windows Sign In" |
- | 2 | - | - | 2 |
ResultDescription == "User account is disabled. The account has been disabled by an administrator."ResultType == "50057" |
- | 2 | - | - | 2 |
ResourceIdentity == "00000007-0000-0000-c000-000000000000" |
- | 1 | - | - | 1 |
NetworkLocationDetails !has "trustedNamedLocation"ResultType == "0" |
- | 1 | - | - | 1 |
ResultType == "500121" |
- | 1 | - | - | 1 |
OperationName == "Add unverified domain" |
- | 1 | - | - | 1 |
RiskState == "atRisk" |
- | 1 | - | - | 1 |
AppDisplayName in "ADFS Trust,Azure Portal,Microsoft Azure PowerShell"RiskLevelAggregated == "high"RiskLevelDuringSignIn == "high" |
- | 1 | - | - | 1 |
OperationName == "Update user" |
- | 1 | - | - | 1 |
AppDisplayName == "Office 365 Exchange Online"ConditionalAccessStatus == "success" |
- | 1 | - | - | 1 |
ResultType in "50125,50140,70043,70044" |
- | 1 | - | - | 1 |
ResourceIdentity == "00000007-0000-0000-c000-000000000000"ResultType == "0" |
- | 1 | - | - | 1 |
AuthenticationRequirement == "singleFactorAuthentication"ResourceIdentity == "00000007-0000-0000-c000-000000000000"ResultType == "0" |
- | 1 | - | - | 1 |
RiskDetail != "none" |
- | 1 | - | - | 1 |
AppDisplayName in "Azure Active Directory PowerShell,Microsoft Azure CLI"AppDisplayName contains "ACOM"AppDisplayName contains "CLI"AppDisplayName contains "PowerShell"AppDisplayName contains "command"AppDisplayName contains "graph" |
- | 1 | - | - | 1 |
OperationName in "Add conditional access policy,Add member to group,Add member to restricted management administrative unit,Delete conditional access policy,Remove member from group,Remove member from restricted management administrative unit,Update conditional access policy,Update group" |
- | 1 | - | - | 1 |
AppDisplayName contains "Portal" |
- | 1 | - | - | 1 |
OperationName has_any "Add directory role member,Add member to role,Add user,Create user,Role assignment,Update user"OperationName has_any "directory write,policy update,role assignment,role update" |
- | 1 | - | - | 1 |
AppDisplayName startswith "Microsoft Teams"ResultDescription != "Other"ResultType == "0"ResultType !in "0,50140" |
- | 1 | - | - | 1 |
ResultType == "0"ResultType != "0" |
- | 1 | - | - | 1 |
AppDisplayName has_any "teams" |
- | 1 | - | - | 1 |
| Total | 0 | 32 | 0 | 0 | 32 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Windows Sign In |
- | 2 | - | - | 2 |
ADFS Trust |
- | 1 | - | - | 1 |
Azure Portal |
- | 1 | - | - | 1 |
Microsoft Azure PowerShell |
- | 1 | - | - | 1 |
Office 365 Exchange Online |
- | 1 | - | - | 1 |
Azure Active Directory PowerShell |
- | 1 | - | - | 1 |
Microsoft Azure CLI |
- | 1 | - | - | 1 |
contains ACOM |
- | 1 | - | - | 1 |
contains CLI |
- | 1 | - | - | 1 |
contains PowerShell |
- | 1 | - | - | 1 |
contains command |
- | 1 | - | - | 1 |
contains graph |
- | 1 | - | - | 1 |
contains Portal |
- | 1 | - | - | 1 |
startswith Microsoft Teams |
- | 1 | - | - | 1 |
has_any teams |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
multiFactorAuthentication |
- | 3 | - | - | 3 |
singleFactorAuthentication |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
success |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!has trustedNamedLocation |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Add unverified domain |
- | 1 | - | - | 1 |
Update user |
- | 1 | - | - | 1 |
Add conditional access policy |
- | 1 | - | - | 1 |
Add member to group |
- | 1 | - | - | 1 |
Add member to restricted management administrative unit |
- | 1 | - | - | 1 |
Delete conditional access policy |
- | 1 | - | - | 1 |
Remove member from group |
- | 1 | - | - | 1 |
Remove member from restricted management administrative unit |
- | 1 | - | - | 1 |
Update conditional access policy |
- | 1 | - | - | 1 |
Update group |
- | 1 | - | - | 1 |
has_any Add directory role member |
- | 1 | - | - | 1 |
has_any Add member to role |
- | 1 | - | - | 1 |
has_any Add user |
- | 1 | - | - | 1 |
has_any Create user |
- | 1 | - | - | 1 |
has_any Role assignment |
- | 1 | - | - | 1 |
has_any Update user |
- | 1 | - | - | 1 |
has_any directory write |
- | 1 | - | - | 1 |
has_any policy update |
- | 1 | - | - | 1 |
has_any role assignment |
- | 1 | - | - | 1 |
has_any role update |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
00000007-0000-0000-c000-000000000000 |
- | 3 | - | - | 3 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
User account is disabled. The account has been disabled by an administrator. |
- | 2 | - | - | 2 |
!= Other |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
0 |
- | 11 | - | - | 11 |
50057 |
- | 2 | - | - | 2 |
!= 0 |
- | 2 | - | - | 2 |
500121 |
- | 1 | - | - | 1 |
50125 |
- | 1 | - | - | 1 |
50140 |
- | 1 | - | - | 1 |
70043 |
- | 1 | - | - | 1 |
70044 |
- | 1 | - | - | 1 |
!= 50140 |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!= none |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
high |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
high |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
atRisk |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊