Using the Cloud Activity Dashboard

This article discusses how to use the Cloud Activity Dashboard for visibility into Entra ID sign-in activity and insights that help you manage and secure your organization's SaaS apps.

Overview of the Cloud Activity Dashboard

The Cloud Activity Dashboard shows data about user activity for your organization's sanctioned SaaS apps to help you manage and secure your cloud app ecosystem. The page contains a number of widgets that provide visibility for SSO sign-in events in your organization's Microsoft Entra ID tenant. You can also drill-down to analyze relevant events in the Events page. The widgets include data such as:

  • Total number of sign-ins and failed sign-ins for each app

  • Failed sign-ins with a breakdown by country

  • Users with the most failed sign-ins

  • Breakdowns of sign-ins according to OS and browser

Example Use Cases

These are examples of insights you can gain from the Cloud Activity Dashboard widgets:

  • Identify apps that have very low sign-ins and may not require maintaining a license

  • Detect potential bad actors that may be trying to access apps without authorization

  • Assess app usage in different locations

Understanding the Sign-In Types

The Cloud Activity Dashboard includes information for different types of sign-in events. You can filter the dashboard to focus on specific sign-in types. By default, the dashboard includes a filter to show only Interactive User sign-ins. For more about configuring filters, see below.

These are the different sign-in types:

  • Interactive User - User-initiated sign-ins, including authentication with passwords, MFA, and biometrics

  • Service Principal - Sign-ins by non-user entities such as apps and services using their own credentials, for example a certificate or app secret

  • Managed Identity - Background sign-ins not involving user interaction, performed by resources whose secrets are managed by Azure

For more about Microsoft Entra sign-in types, see the Microsoft documentation.

Prerequisites

Getting Started with the Cloud Activity Dashboard

The Cloud Activity Dashboard contains a number of widgets that present an overview of sign-in activity for your organization's sanctioned SaaS apps.

Cloud_Activity_Dashboard.png

To show the Cloud Activity Dashboard:

  • From the navigation menu, click Monitoring > Cloud Activities.

Configuring Filters to Analyze Cloud Activity Data

You can filter the Cloud Activity Dashboard according to a specific time frame, and create filters to focus on more specific data. When you manually create a filter or add an item to update the filter, the sign-in data on the Cloud Activity Dashboard is automatically updated.

There are two ways to filter the data in the Cloud Activity Dashboard and show the items that are most relevant: automatically update the filter with the selected item, or manually configure the filter.

Automatically Filtering for an Item

As you hover over an item or field where a filter option is available, the TD_Filter.png button appears. Click the icon to show the filter options:

  • Add to Filter - Adds the item to the filter, and the Cloud Activity Dashboard now only shows data that includes this item. For example, if you filter for a specific app, the screen only shows activity data related to that app. No other cloud activity data is available until you change or clear the filter.

  • Exclude from Filter - Updates the filter to exclude this item, and the Cloud Activity Dashboard now only shows data that does NOT include this item.

  • View Events - Adds this item to the filter, and the Events page opens and shows all the events that match the filter.

You can continue to add items to the filter, click TD_Filter.png again to update the filter and drill-down further.

Selecting the Time Range

The default time range for the cloud activity data is the previous two days. You can select a different time range for the Cloud Activity Dashboard to show a longer or shorter time period. For more information, see Setting the Time Range Filter.

The maximum date range for the Cloud Activity Dashboard is 90 days.

Manually Configuring the Filter

You can manually configure the filter for greater granularity to analyze the cloud activity. After you configure the filter, it is added to the filter bar and the screen is automatically updated to show the activity data that matches the new filter.

Cloud_Activity_Dashboard_filter.png

To manually configure a filter:

  1. In the filter bar, click Add2.png.

  2. Start typing or select the Field.

  3. Select the Operator, which determines the relationship between the Field and the Value you are searching for.

  4. Select the Value.

  5. Click Add Filter. The filter is added to the filter bar and the Cloud Activity Dashboard is updated to show results based on the filters.

Clearing the Filter

You can remove each item in the filter separately, or clear the entire filter.

Cloud_Activity_Dashboard_remove_filter.png

To clear the filters for the Cloud Activity Dashboard:

  1. To clear a single filter, click remove.png next to the filter (item 1 above).

  2. To clear all the filters, click X at the right end of the filter bar (item 2 above).

Working with Cloud Activity Dashboard Widgets

This section explains the widgets that are available in the Cloud Activities Dashboard. The data in the dashboard is based on the configured time range.

These are the widgets:

  • Sanctioned Apps Sign-In Activity - Shows SSO sign-in information for all of your organization's sanctioned SaaS apps that use SSO. You can click in the row of an app to show the Events page pre-filtered for sign-in events for the app.

    These are the widget columns:

    • # Sign-in - Total number of sign-ins for the app, including successful and failed sign-ins

    • # Failed Sign-in - Number of failed sign-in attempts for the app

    • # Tenants - Number of Entra ID tenants associated with the sign-ins to this app. This number can include tenants external to your organization if a sign-in was performed from a source outside your organization.

      • Hover the mouse over the number of tenants and then hover over the tooltip to show the tenant IDs as they appear in sign-in events for the app.

        You can use the tenant ID to filter the Events page to show events for that tenant. If a sign-in was performed from a source outside your organization, you can use the tenant ID to view details about the external source in the associated event

    Click in the row of an app to show the Events page pre-filtered for sign-in events for the app

  • Sign-in Activities by Countries - Shows the following information for sign-ins from each country:

    • # Sign-in - Total number of sign-ins for the country, including successful and failed sign-ins

    • # Failed Sign-in - Number of failed sign-in attempts for the country

  • Top Users With Failed Sign-in - A list of users with the most failed sign-ins for a single app, with the name of the app and number of failed sign-ins

    • Click in the row of a user to show the Events page pre-filtered for failed sign-in events for that user and app

  • Sign-in Activity Over Time - Graphs the total and failed sign-ins on a timeline

    • Hover the mouse on the graph to show the sign-in details for a point on the timeline

    • Click a toggle button to show or hide a graph

    • Click and drag to zoom-in on:

      • Time of sign-ins

      • Number of sign-ins

  • Anomalies - Anomalous sign-ins in your Entra ID tenant that may indicate malicious activity. Anomaly types include: Atypical travel, Anomalous token, Suspicious browser, Unfamiliar sign-in properties, Malicious IP address, Suspicious inbox manipulation rules, Password spray, Impossible travel, New country, Activity from anonymous IP address, Suspicious inbox forwarding, Mass access to sensitive files, Verified threat actor IP, Additional risk detected, Anonymous IP address, Admin confirmed user compromised, Microsoft Entra threat intelligence.

    For more information about anomalous Entra ID sign-ins, see the Microsoft documentation.

  • Sign-in Break Down by OSs - Shows number of app sign-ins performed on each operating system

    • Hover the mouse over a chart section to show the number of sign-ins for that operating system and its percentage of total sign-ins

  • Sign-in Break Down by Browser - Shows number of app sign-ins performed on each browser

    • Hover the mouse over a chart section to show the number of sign-ins for that browser and its percentage of total sign-ins

Was this article helpful?

0 comments

Add your comment