If someone's trying to break into your Microsoft 365 environment, the sign-in logs are where you'll see it. Failed logins from foreign countries, successful logins at 3am, sign-ins from unrecognised devices — it's all there.

Here's how to check and what to look for.

Where to find sign-in logs

Go to entra.microsoft.com → Monitoring & health → Sign-in logs.

You'll see a list of every sign-in attempt — successful and failed. Each entry shows who, when, where (IP and location), what app, what device, and whether it succeeded or was blocked.

You can filter by date, user, status (success/failure), location, and more.

What to look for

Failed sign-ins from unusual locations. A few failures from your own country is normal (typos). Hundreds of failures from multiple countries is a brute force attack.

Successful sign-ins from unexpected countries. If nobody in your team is in Nigeria and you see a successful sign-in from there, that's a compromised account.

Sign-ins using legacy authentication protocols. These bypass MFA and are a common attack vector. Filter by Client app → look for 'Other clients' or legacy protocols like POP3, IMAP, SMTP.

Risky sign-ins. If you're on a plan with Entra ID Protection, you'll see risk flags — impossible travel (Sydney then London within an hour), anonymous IP addresses, leaked credentials.

Setting up alerts

Don't rely on manually checking logs. Set up alerts for suspicious activity.

In the Microsoft 365 Defender portal, go to Policies → Alert policy. Create alerts for: sign-in from risky IP, admin account sign-in, and creation of mail forwarding rules.

These will email you when something suspicious happens so you can respond quickly.

How long logs are kept

Sign-in logs are retained for 30 days on most plans. If you need longer retention, you can export them to Azure Monitor, a SIEM tool, or a storage account.

For compliance purposes, most Australian regulations that involve audit trails expect at least 12 months of log retention. Plan for this.

We review sign-in logs as part of our ongoing managed security service. If you want regular reporting on who's accessing your environment and from where, talk to us.