The one report to check weekly.
If you only check one security report, make it the Microsoft 365 sign-in log. Five minutes a week catches compromises before they cost you.
If you only do one security thing for your small business on a regular cadence, make it checking the Microsoft 365 sign-in report. It takes five minutes a week, and it catches almost every form of account takeover before it becomes a real incident.
Why this report is so useful
Every login to M365 — yours, your staff's, service accounts, apps — shows up in this log. Location, device, app, success or failure. A trained eye can scan it in minutes and immediately spot anomalies: a login from a country no one travels to, a user logging in at 3 AM from two places at once, a service account suddenly used from a new location.
What we look for
“A small law firm's sign-in report showed a login to a partner's account from Vietnam at 2 AM, immediately after the partner had logged in from New Jersey.”
Red flag: Impossible travel. Attackers had the password plus an MFA bypass. Caught the day after — contained before data was exfiltrated.
“A bookkeeper account showed a successful login from an unfamiliar IP with a "legacy auth" client.”
Red flag: Legacy auth bypasses MFA. Credentials had leaked. We disabled legacy auth tenant-wide and reset her password that morning.
The five-minute weekly habit
- Open the Microsoft Entra ID (admin center) Sign-in logs every Monday.
- Filter for failed logins — bursts of failures on one account signal brute force attempts.
- Look for foreign or unusual locations, especially on executives and finance staff.
- Look for impossible travel — same user, two distant locations, short time gap.
- Investigate anything weird by calling the user. Reset credentials and MFA if needed.
We can set up alerts.
We configure M365 to email you (or us) automatically when risky sign-ins happen — so you don't have to remember to check.
- 1Block five minutes every Monday for a sign-in log review.
- 2Enable sign-in risk alerts in Entra ID so high-risk logins page you automatically.
- 3Disable legacy authentication tenant-wide if you haven't.
- 4Assign the review to a specific person — ideally not the owner, who'll forget.
- 5Document what was reviewed and any actions taken. Creates an audit trail.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
Microsoft 365 settings every business should turn on.
Microsoft 365 ships with insecure defaults. Five settings take under an hour and shut the door on the most common cloud attacks.
ReadTip #18 · Cloud & SaaSShadow IT is hurting your business.
Every month, employees sign up for tools you don't know about. Shadow IT leaks data, breaks compliance, and multiplies your attack surface.
Read