MicrosoftDocs
diff --git a/‎articles/active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md‎
Lines changed: 5 additions & 35 deletions b/‎articles/active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md‎
Lines changed: 5 additions & 35 deletions
diff --git a/‎articles/active-directory/reports-monitoring/concept-all-sign-ins.md‎
Lines changed: 13 additions & 61 deletions b/‎articles/active-directory/reports-monitoring/concept-all-sign-ins.md‎
Lines changed: 13 additions & 61 deletions
@@ -2,24 +2,17 @@
 title: Azure Active Directory activity logs in Azure Monitor | Microsoft Docs
 description: Introduction to Azure Active Directory activity logs in Azure Monitor
 services: active-directory
-documentationcenter: ''
-author: MarkusVi
+author: shlipsey3
 manager: amycolannino
-editor: ''
-
-ms.assetid: 4b18127b-d1d0-4bdc-8f9c-6a4c991c5f75
 ms.service: active-directory
 ms.topic: conceptual
-ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 08/26/2022
-ms.author: markvi
+ms.date: 10/03/2022
+ms.author: sarahlipsey
 ms.reviewer: besiler
-
 ms.collection: M365-identity-device-management
 ---
-
 # Azure AD activity logs in Azure Monitor
 
 You can route Azure Active Directory (Azure AD) activity logs to several endpoints for long term retention and data insights. This feature allows you to:
@@ -31,25 +24,21 @@ You can route Azure Active Directory (Azure AD) activity logs to several endpoin
 
 > [!VIDEO https://www.youtube.com/embed/syT-9KNfug8]
 
-[!INCLUDE [azure-monitor-log-analytics-rebrand](../../../includes/azure-monitor-log-analytics-rebrand.md)]
-
 ## Supported reports
 
 You can route Azure AD audit logs and sign-in logs to your Azure Storage account, event hub, Azure Monitor logs, or custom solution by using this feature.
 
 * **Audit logs**: The [audit logs activity report](concept-audit-logs.md) gives you access to information about changes applied to your tenant, such as users and group management, or updates applied to your tenant’s resources.
 * **Sign-in logs**: With the [sign-in activity report](concept-sign-ins.md), you can determine who performed the tasks that are reported in the audit logs.
 
-
-
 ## Prerequisites
 
 To use this feature, you need:
 
 * An Azure subscription. If you don't have an Azure subscription, you can [sign up for a free trial](https://azure.microsoft.com/free/).
 * Azure AD Free, Basic, Premium 1, or Premium 2 [license](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing), to access the Azure AD audit logs in the Azure portal. 
 * An Azure AD tenant.
-* A user who's a **global administrator** or **security administrator** for the Azure AD tenant.
+* A user who's a **Global Administrator** or **Security Administrator** for the Azure AD tenant.
 * Azure AD Premium 1, or Premium 2 [license](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing), to access the Azure AD sign-in logs in the Azure portal. 
 
 Depending on where you want to route the audit log data, you need either of the following:
@@ -78,14 +67,6 @@ The following table contains a cost estimate of, depending on the size of the te
 | Sign-ins | 100,000 | 15&nbsp;million | 1.7 TB | $35.41 | $424.92 |
 
 
-
-
-
-
-
-
-
-
 ### Event Hub messages for activity logs
 
 Events are batched into approximately five-minute intervals and sent as a single message that contains all the events within that timeframe. A message in the Event Hub has a maximum size of 256 KB, and if the total size of all the messages within the timeframe exceeds that volume, multiple messages are sent. 
@@ -103,23 +84,12 @@ The following table contains estimated costs per month for a basic Event Hub in
 
 ### Azure Monitor logs cost considerations
 
-
-
 | Log category | Number of users | Events per day | Events per month (30 days) | Cost per month in USD (est.) |
 |:-|--|--|--|-:|
 | Audit and Sign-ins | 100,000 | 16,500,000 | 495,000,000 | $1093.00 |
 | Audit | 100,000 | 1,500,000 | 45,000,000 | $246.66 |
 | Sign-ins | 100,000 | 15,000,000 | 450,000,000 | $847.28 |
 
-
-
-
-
-
-
-
-
-
 To review costs related to managing the Azure Monitor logs, see [Azure Monitor Logs pricing details](../../azure-monitor/logs/cost-logs.md).
 
 ## Frequently asked questions
@@ -174,7 +144,7 @@ This section answers frequently asked questions and discusses known issues with
 
 **Q: What SIEM tools are currently supported?** 
 
-**A**: **A**: Currently, Azure Monitor is supported by [Splunk](./howto-integrate-activity-logs-with-splunk.md), IBM QRadar, [Sumo Logic](https://help.sumologic.com/Send-Data/Applications-and-Other-Data-Sources/Azure_Active_Directory), [ArcSight](./howto-integrate-activity-logs-with-arcsight.md), LogRhythm, and Logz.io. For more information about how the connectors work, see [Stream Azure monitoring data to an event hub for consumption by an external tool](../../azure-monitor/essentials/stream-monitoring-data-event-hubs.md).
+**A**: Currently, Azure Monitor is supported by [Splunk](./howto-integrate-activity-logs-with-splunk.md), IBM QRadar, [Sumo Logic](https://help.sumologic.com/Send-Data/Applications-and-Other-Data-Sources/Azure_Active_Directory), [ArcSight](./howto-integrate-activity-logs-with-arcsight.md), LogRhythm, and Logz.io. For more information about how the connectors work, see [Stream Azure monitoring data to an event hub for consumption by an external tool](../../azure-monitor/essentials/stream-monitoring-data-event-hubs.md).
 
 ---
 
 
@@ -2,35 +2,28 @@
 title: Sign-in logs in Azure Active Directory - preview | Microsoft Docs
 description: Overview of the sign-in logs in Azure Active Directory including new features in preview. 
 services: active-directory
-documentationcenter: ''
-author: MarkusVi
+author: shlipsey3
 manager: amycolannino
-editor: ''
-
-ms.assetid: 4b18127b-d1d0-4bdc-8f9c-6a4c991c5f75
 ms.service: active-directory
 ms.topic: conceptual
-ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 08/26/2022
-ms.author: markvi
+ms.date: 10/03/2022
+ms.author: sarahlipsey
 ms.reviewer: besiler
-
 ms.collection: M365-identity-device-management
 ---
 # Sign-in logs in Azure Active Directory - preview
 
 As an IT administrator, you want to know how your IT environment is doing. The information about your system’s health enables you to assess whether and how you need to respond to potential issues. 
 
-To support you with this goal, the Azure Active Directory portal gives you access to three activity logs:
+To support you with this goal, the Azure Active Directory (Azure AD) portal gives you access to three activity logs:
 
 - **[Sign-in](concept-sign-ins.md)** – Information about sign-ins and how your resources are used by your users.
-- **[Audit](concept-audit-logs.md)** – Information about changes applied to your tenant such as users and group management or updates applied to your tenant’s resources.
-- **[Provisioning](concept-provisioning-logs.md)** – Activities performed by the provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.
-
+- **[Audit](concept-audit-logs.md)** – Information about changes applied to your tenant, such as users and group management or updates applied to your tenant’s resources.
+- **[Provisioning](concept-provisioning-logs.md)** – Activities performed by a provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.
 
-The classic sign-in log in Azure Active Directory provides you with an overview of interactive user sign-ins. In addition, you now have access to three additional sign-in logs that are now in preview:
+The classic sign-in log in Azure AD provides you with an overview of interactive user sign-ins. Three additional sign-in logs are now in preview:
 
 - Non-interactive user sign-ins
 
@@ -40,8 +33,6 @@ The classic sign-in log in Azure Active Directory provides you with an overview
 
 This article gives you an overview of the sign-in activity report with the preview of non-interactive, application, and managed identities for Azure resources sign-ins. For information about the sign-in report without the preview features, see  [Sign-in logs in Azure Active Directory](concept-sign-ins.md).
 
-
-
 ## What can you do with it?
 
 The sign-in log provides answers to questions like:
@@ -65,16 +56,13 @@ The sign-in log provides answers to questions like:
 
 The sign-in activity report is available in [all editions of Azure AD](reference-reports-data-retention.md#how-long-does-azure-ad-store-the-data). If you have an Azure Active Directory P1 or P2 license, you also can access the sign-in activity report through the Microsoft Graph API. See [Getting started with Azure Active Directory Premium](../fundamentals/active-directory-get-started-premium.md) to upgrade your Azure Active Directory edition. It will take a couple of days for the data to show up in Graph after you upgrade to a premium license with no data activities before the upgrade.
 
-
-
-
 ## Where can you find it in the Azure portal?
 
 The Azure portal provides you with several options to access the log. For example, on the Azure Active Directory menu, you can open the log in the **Monitoring** section.  
 
-![Open sign-in logs](./media/concept-sign-ins/sign-ins-logs-menu.png)
+![Screenshot of the sign-in logs menu option.](./media/concept-sign-ins/sign-ins-logs-menu.png)
 
-Additionally, you can get directly get to the sign-in log using this link: [https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/SignIns](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/SignIns)
+Additionally, you can access the sign-in log using this link: [https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/SignIns](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/SignIns)
 
 On the sign-ins page, you can switch between:
 
@@ -87,9 +75,7 @@ On the sign-ins page, you can switch between:
 - **Managed identities for Azure resources sign-ins** - Sign-ins by Azure resources that have secrets managed by Azure. For more information, see [What are managed identities for Azure resources?](../managed-identities-azure-resources/overview.md) 
 
 
-![Sign-in log types](./media/concept-all-sign-ins/sign-ins-report-types.png)
-
-
+![Screenshot of the sign-in log types.](./media/concept-all-sign-ins/sign-ins-report-types.png)
 
 Each tab on the sign-ins page shows the default columns below. Some tabs have additional columns:
 
@@ -105,18 +91,13 @@ Each tab on the sign-ins page shows the default columns below. Some tabs have ad
 
 - IP address of the device used for the sign-in
 
-
-
 ### Interactive user sign-ins
 
-
 Interactive user sign-ins are sign-ins where a user provides an authentication factor to Azure AD or interacts directly with Azure AD or a helper app, such as the Microsoft Authenticator app. The factors users provide include passwords, responses to MFA challenges, biometric factors, or QR codes that a user provides to Azure AD or to a helper app.
 
 > [!NOTE]
 > This log also includes federated sign-ins from identity providers that are federated to Azure AD.  
 
-
-
 > [!NOTE] 
 > The interactive user sign-in log used to contain some non-interactive sign-ins from Microsoft Exchange clients. Although those sign-ins were non-interactive, they were included in the interactive user sign-in log for additional visibility. Once the non-interactive user sign-in log entered public preview in November 2020, those non-interactive sign-in logs were moved to the non-interactive user sign in log for increased accuracy. 
 
@@ -139,24 +120,13 @@ In addition to the default fields, the interactive sign-in log also shows:
 
 - Whether conditional access has been applied
 
-
-
 You can customize the list view by clicking **Columns** in the toolbar.
 
-![Interactive user sign-in columns](./media/concept-all-sign-ins/columns-interactive.png "Interactive user sign-in columns")
-
-
-
-
+![Screenshot of the interactive user sign-in columns that can be customized.](./media/concept-all-sign-ins/columns-interactive.png "Interactive user sign-in columns")
 
 Customizing the view enables you to display additional fields or remove fields that are already displayed.
 
-![All interactive columns](./media/concept-all-sign-ins/all-interactive-columns.png)
-
-
-
-
-
+![Screenshot of all interactive columns.](./media/concept-all-sign-ins/all-interactive-columns.png)
 
 ### Non-interactive user sign-ins
 
@@ -174,26 +144,18 @@ Non-interactive user sign-ins are sign-ins that were performed by a client app o
 
 - A user signs in to a second Microsoft Office app while they have a session on a mobile device using FOCI (Family of Client IDs).
 
-
-
-
 In addition to the default fields, the non-interactive sign-in log also shows: 
 
 - Resource ID
 
 - Number of grouped sign-ins
 
-
-
-
 You can't customize the fields shown in this report.
 
-
-![Disabled columns](./media/concept-all-sign-ins/disabled-columns.png "Disabled columns")
+![Screenshot of the disabled columns option.](./media/concept-all-sign-ins/disabled-columns.png "Disabled columns")
 
 To make it easier to digest the data, non-interactive sign-in events are grouped. Clients often create many non-interactive sign-ins on behalf of the same user in a short time period, which share all the same characteristics except for the time the sign-in was attempted. For example, a client may get an access token once per hour on behalf of a user. If the user or client do not change state, the IP address, resource, and all other information is the same for each access token request. When Azure AD logs multiple sign-ins that are identical other than time and date, those sign-ins will be from the same entity are aggregated into a single row. A row with multiple identical sign-ins (except for date and time issued) will have a value greater than 1 in the # sign-ins column. You can expand the row to see all the different sign-ins and their different time stamps. Sign-ins are aggregated in the non-interactive users when the following data matches:
 
-
 - Application
 
 - User
@@ -204,14 +166,8 @@ To make it easier to digest the data, non-interactive sign-in events are grouped
 
 - Resource ID
 
-
-
-
-
 The IP address of non-interactive sign-ins doesn't match the actual source IP of where the refresh token request is coming from. Instead, it shows the original IP used for the original token issuance.
 
-
-
 ## Service principal sign-ins
 
 Unlike interactive and non-interactive user sign-ins, service principal sign-ins do not involve a user. Instead, they are sign-ins by any non-user account, such as apps or service principals (except managed identity sign-in, which are in included only in the managed identity sign-in log). In these sign-ins, the app or service provides its own credential, such as a certificate or app secret to authenticate or access resources.
@@ -257,10 +213,6 @@ To make it easier to digest the data in the service principal sign-in logs, serv
 
 - Resource name or ID
 
-
-
-
-
 ## Managed identity for Azure resources sign-ins 
 
 Managed identity for Azure resources sign-ins are sign-ins that were performed by resources that have their secrets managed by Azure to simplify credential management.