Microsoft Entra Who Accessed What And When

The alert hit like a hammer: someone accessed critical resources. You need to know who, what, and when—fast. Microsoft Entra makes that possible with precision.

Microsoft Entra Who Accessed What And When is not just a log. It’s a clear record of identities, actions, and timestamps across your cloud and on‑prem environments. Every sign‑in, every token, every API call is tracked. Every event is tied to the exact user identity—local or federated—and the service, file, or database they touched. This is core for audit trails, compliance checks, and breach forensics.

With Entra, you can pull this data directly from Audit Logs and Sign‑in Logs. The audit logs answer “what and when”: modifications, creations, deletions, role assignments. The sign‑in logs answer “who accessed”: successful logins, MFA usage, conditional access evaluations. Combine them, and you see the full chain—identity, resource, timestamp, IP address, device info, and policy outcome.

Filtering is immediate. Search by user principal name, resource type, or activity ID. Export to CSV or stream to Microsoft Sentinel for continuous monitoring. Use Graph API queries to automate real‑time alerts: when a privileged role is used, when sensitive SharePoint libraries are accessed, or when sign‑ins occur from unfamiliar networks.

Retention is configurable. Keep 30 days by default, or push to long‑term storage for compliance. Pair Entra’s detailed event data with SIEM correlation rules to catch anomalies before they escalate. The goal is stark clarity: no opaque logs, no missing records, no blind spots.

Security demands knowing the exact story. Entra tells it—who accessed, what they did, when they did it.

See it live with hoop.dev. Connect in minutes, pull your Microsoft Entra events, and make “Who Accessed What And When” more than a question—make it a dashboard.