Quickstart: Analyze a sign-in with the Microsoft Graph API

In this Quickstart, you'll use the information in the Microsoft Entra sign-in logs to figure out what happened if a sign-in of a user failed. This quickstart shows you how to access the sign-in log using the Microsoft Graph API.

Prerequisites

To complete the scenario in this quickstart, you need:

Perform a failed sign-in

Tip

Steps in this article might vary slightly based on the portal you start from.

The goal of this step is to create a record of a failed sign-in in the Microsoft Entra sign-in log.

  1. Sign in to the Microsoft Entra admin center as Isabella Simonsen using an incorrect password.

  2. Wait for 5 minutes to ensure that you can find a record of the sign-in entry in the logs.

Find the failed sign-in

This section provides the steps to locate the failed sign-in attempt using the Microsoft Graph API.

  1. Sign in to Microsoft Graph Explorer as a user with permissions to run a query.

  2. Select Modify permissions to ensure you have the correct permissions.

  3. Select GET as the HTTP method from the dropdown.

  4. Set the API version to beta.

  5. Enter the following query and select Run query: https://graph.microsoft.com/beta/auditLogs/signIns?$top=10&$filter=userDisplayName eq 'Isabella Simonsen'

  6. Review the query response and locate the status section of the response.

Screenshot of the query response with the error status section highlighted.

Clean up resources

When no longer needed, delete the test user. If you don't know how to delete a Microsoft Entra user, see Delete users from Microsoft Entra ID.

Next steps