Microsoft Graph · Schema
SignIn
Azure ADCollaborationContactsDocumentsEmailGraphIdentityMicrosoftOffice 365PresentationsProductivitySpreadsheetsT1Tasks
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "#/components/schemas/SignIn",
"title": "SignIn",
"allOf": [
{
"$ref": "#/components/schemas/Entity"
},
{
"title": "signIn",
"required": [
"@odata.type"
],
"type": "object",
"properties": {
"appDisplayName": {
"type": "string",
"description": "App name displayed in the Microsoft Entra admin center. Supports $filter (eq, startsWith).",
"nullable": true
},
"appId": {
"type": "string",
"description": "Unique GUID that represents the app ID in the Microsoft Entra ID. Supports $filter (eq).",
"nullable": true
},
"appliedConditionalAccessPolicies": {
"type": "array",
"items": {
"$ref": "#/components/schemas/AppliedConditionalAccessPolicy"
},
"description": "Provides a list of conditional access policies that the corresponding sign-in activity triggers. Apps need more Conditional Access-related privileges to read the details of this property. For more information, see Permissions for viewing applied conditional access (CA) policies in sign-ins."
},
"clientAppUsed": {
"type": "string",
"description": "Identifies the client used for the sign-in activity. Modern authentication clients include Browser, modern clients. Legacy authentication clients include Exchange ActiveSync, IMAP, MAPI, SMTP, POP, and other clients. Supports $filter (eq).",
"nullable": true
},
"conditionalAccessStatus": {
"anyOf": [
{
"$ref": "#/components/schemas/ConditionalAccessStatus"
},
{
"type": "object",
"nullable": true
}
],
"description": "Reports status of an activated conditional access policy. The possible values are: success, failure, notApplied, and unknownFutureValue. Supports $filter (eq)."
},
"correlationId": {
"type": "string",
"description": "The request ID sent from the client when the sign-in is initiated. Used to troubleshoot sign-in activity. Supports $filter (eq).",
"nullable": true
},
"createdDateTime": {
"pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$",
"type": "string",
"description": "Date and time (UTC) the sign-in was initiated. Example: midnight on Jan 1, 2014 is reported as 2014-01-01T00:00:00Z. Supports $orderby, $filter (eq, le, and ge).",
"format": "date-time"
},
"deviceDetail": {
"anyOf": [
{
"$ref": "#/components/schemas/DeviceDetail"
},
{
"type": "object",
"nullable": true
}
],
"description": "Device information from where the sign-in occurred; includes device ID, operating system, and browser. Supports $filter (eq, startsWith) on browser and operatingSytem properties."
},
"ipAddress": {
"type": "string",
"description": "IP address of the client used to sign in. Supports $filter (eq, startsWith).",
"nullable": true
},
"isInteractive": {
"type": "boolean",
"description": "Indicates whether a sign-in is interactive.",
"nullable": true
},
"location": {
"anyOf": [
{
"$ref": "#/components/schemas/SignInLocation"
},
{
"type": "object",
"nullable": true
}
],
"description": "Provides the city, state, and country code where the sign-in originated. Supports $filter (eq, startsWith) on city, state, and countryOrRegion properties."
},
"resourceDisplayName": {
"type": "string",
"description": "Name of the resource the user signed into. Supports $filter (eq).",
"nullable": true
},
"resourceId": {
"type": "string",
"description": "ID of the resource that the user signed into. Supports $filter (eq).",
"nullable": true
},
"riskDetail": {
"anyOf": [
{
"$ref": "#/components/schemas/RiskDetail"
},
{
"type": "object",
"nullable": true
}
],
"description": "The reason behind a specific state of a risky user, sign-in, or a risk event. The value none means that Microsoft Entra risk detection did not flag the user or the sign-in as a risky event so far. Supports $filter (eq). Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned hidden."
},
"riskEventTypes": {
"type": "array",
"items": {
"anyOf": [
{
"$ref": "#/components/schemas/RiskEventType"
},
{
"type": "object",
"nullable": true
}
]
}
},
"riskEventTypes_v2": {
"type": "array",
"items": {
"type": "string",
"nullable": true
},
"description": "The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue. Supports $filter (eq, startsWith)."
},
"riskLevelAggregated": {
"anyOf": [
{
"$ref": "#/components/schemas/RiskLevel"
},
{
"type": "object",
"nullable": true
}
],
"description": "Aggregated risk level. The possible values are: none, low, medium, high, hidden, and unknownFutureValue. The value hidden means the user or sign-in wasn't enabled for Microsoft Entra ID Protection. Supports $filter (eq). Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned hidden."
},
"riskLevelDuringSignIn": {
"anyOf": [
{
"$ref": "#/components/schemas/RiskLevel"
},
{
"type": "object",
"nullable": true
}
],
"description": "Risk level during sign-in. The possible values are: none, low, medium, high, hidden, and unknownFutureValue. The value hidden means the user or sign-in wasn't enabled for Microsoft Entra ID Protection. Supports $filter (eq). Note: Details for this property are only available for Microsoft Entra ID P2 customers. All other customers are returned hidden."
},
"riskState": {
"anyOf": [
{
"$ref": "#/components/schemas/RiskState"
},
{
"type": "object",
"nullable": true
}
],
"description": "Reports status of the risky user, sign-in, or a risk event. The possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. Supports $filter (eq)."
},
"status": {
"anyOf": [
{
"$ref": "#/components/schemas/SignInStatus"
},
{
"type": "object",
"nullable": true
}
],
"description": "Sign-in status. Includes the error code and description of the error (if a sign-in failure occurs). Supports $filter (eq) on errorCode property."
},
"userDisplayName": {
"type": "string",
"description": "Display name of the user that initiated the sign-in. Supports $filter (eq, startsWith).",
"nullable": true
},
"userId": {
"type": "string",
"description": "ID of the user that initiated the sign-in. Supports $filter (eq)."
},
"userPrincipalName": {
"type": "string",
"description": "User principal name of the user that initiated the sign-in. This value is always in lowercase. For guest users whose values in the user object typically contain #EXT# before the domain part, this property stores the value in both lowercase and the 'true' format. For example, while the user object stores AdeleVance_fabrikam.com#EXT#@contoso.com, the sign-in logs store [email protected]. Supports $filter (eq, startsWith).",
"nullable": true
},
"@odata.type": {
"type": "string"
}
}
}
],
"x-ms-discriminator-value": "#microsoft.graph.signIn"
}