Windows 10: ENtra ID audit last logon user

Discus and support ENtra ID audit last logon user in Windows 10 Gaming to solve the problem; Look like the delay to get the last login is over 15 minutes, and the log get the information only if the computer reboot and the user login, if the... Discussion in 'Windows 10 Gaming' started by Andre Grenon1, Apr 3, 2025 at 9:57 AM.

  1. ENtra ID audit last logon user


    Look like the delay to get the last login is over 15 minutes, and the log get the information only if the computer reboot and the user login, if the user logout and login , no activity are record on the audit log, is this normal. how do we get the last login date and time the right way under entra id Azure joint or Hybrid user

    :)
     
    Andre Grenon1, Apr 3, 2025 at 9:57 AM
    #1

  2. Understanding about Audit Logon Event

    Hi

    Welcome to Microsoft community.

    The Audit Logon events in the Windows Event Log are generated by the operating system to track user logon and logoff activities on a system. These events can provide valuable information about who is accessing the system and when. However, it's essential to understand that these events can also be generated by various system processes, services, and background tasks, not just by physical user logins.

    Here are some common scenarios where you might see duplicate login/logout events and Kerberos Ticket requests in the Event Log, even when there's no physical user logging into the client machine:

    1. Scheduled Tasks: Some scheduled tasks or background processes may require authentication and generate logon events, even when no user is interacting with the machine. These tasks could include maintenance tasks, background updates, and other system-related activities.
    2. Service Accounts: System services, applications, or tasks running under service accounts might trigger logon events for those accounts without involving physical users. Service accounts are often used to run various services in the background.
    3. Network Access: If the system is accessed remotely via network shares or other network resources, logon events might be generated for that remote access, even if no user is directly interacting with the machine.
    4. Cached Credentials: In some cases, cached credentials might be used to access network resources, which can lead to logon events, even if no fresh user authentication occurs.
    5. Kerberos Ticket Renewal: Kerberos is the authentication protocol used in Windows environments. When a user logs in, a Kerberos Ticket is generated, and it may be automatically renewed by the system without requiring the user to log in again.
    6. Terminal Services or Remote Desktop Services: In environments with remote desktop or terminal services enabled, logon events might be triggered for remote sessions.
    To better understand the specific cause of the duplicate logon events in your environment, it's recommended to analyze the Event Log in more detail. Check the event IDs associated with the logon and logoff activities and look for information about the type of logon (e.g., interactive, network, batch, service, etc.), the user account involved, the source of the logon (e.g., Service, Network, LogonUI, etc.), and any associated IP addresses.

    Remember that logs can vary depending on the system configuration and the applications running.

    Please feel free to let me know if you have any further updates, thanks.

    Best regards

    Derrick Qian | Microsoft Community Support Specialist
     
    Derrick19 - MSFT, Apr 3, 2025 at 10:01 AM
    #2
  3. Some windows 11 devices shows as Entra ID registered in Intune

    Some devices onboarded to Intune with self deploying Autopilot mode, and now they shows as Entra ID registered in Intune and not Entra ID joined. Why these shows Entra ID registered and how to make them appear Entra ID joined.
     
  4. Jonas U. Win User

    ENtra ID audit last logon user

    Windows 11 can't logon as new User

    Hello Daisy Zhou,

    Thank you for your reply.



    To Answer your Questions:

    1. Yes, I mean the "Switch User" button, it's named a little different in German as it seems



    2. There is no error massage, as there is no way of starting the process of logging into a new user



    3. The device has not yet joined the Entra-ID/Azure-AD domain, as you would usually do that by logging in with an Office Account



    4. Local users are possible to be logged into since they show up as a direct user login. Users that are not located on the machine itself don’t show up as they’ve never been logged into on the device.

    Kind Regards,

    -
     
Thema:

ENtra ID audit last logon user

Loading...
  1. ENtra ID audit last logon user - Similar Threads - ENtra audit last

  2. ENtra ID audit last logon user

    in Windows 10 Software and Apps
    ENtra ID audit last logon user: Look like the delay to get the last login is over 15 minutes, and the log get the information only if the computer reboot and the user login, if the user logout and login , no activity are record on the audit log, is this normal. how do we get the last login date and time the...
  3. Microsoft Entra ID

    in AntiVirus, Firewalls and System Security
    Microsoft Entra ID: Hello...I work in a small family business and we're starting to grow.In a recent network setup they are implementing, we will be hooking our devices with Microsoft Entra IDs.The thing is that they are asking to sign in our company PCs and also our personal laptops we do some...
  4. Microsoft Entra ID

    in Windows 10 Software and Apps
    Microsoft Entra ID: Hello...I work in a small family business and we're starting to grow.In a recent network setup they are implementing, we will be hooking our devices with Microsoft Entra IDs.The thing is that they are asking to sign in our company PCs and also our personal laptops we do some...
  5. Setting up a device for user for Entra ID

    in Windows 10 Gaming
    Setting up a device for user for Entra ID: So when I am setting up the device it saysConnecting to: My organisationUser name: User@myorganisationUser Type: AdministratorI do not understand the user type section I am logging onto the admin account as instructed am I doing something wrong?So I am logging on with the...
  6. Setting up a device for user for Entra ID

    in Windows 10 Software and Apps
    Setting up a device for user for Entra ID: So when I am setting up the device it saysConnecting to: My organisationUser name: User@myorganisationUser Type: AdministratorI do not understand the user type section I am logging onto the admin account as instructed am I doing something wrong?So I am logging on with the...
  7. Entra ID logon issues. Setting up company device

    in Windows 10 Gaming
    Entra ID logon issues. Setting up company device: Hi, I am currently setting up a device via 'join this device to Microsoft entra ID' When I follow the prompts it keeps putting the user type as 'Administrator' Is this just because I am doing this on the local admin accountAs documentation references Then once the user signs...
  8. Entra ID logon issues. Setting up company device

    in Windows 10 Software and Apps
    Entra ID logon issues. Setting up company device: Hi, I am currently setting up a device via 'join this device to Microsoft entra ID' When I follow the prompts it keeps putting the user type as 'Administrator' Is this just because I am doing this on the local admin accountAs documentation references Then once the user signs...
  9. Security Auditing ID: 4624/4672 Special Logon and Logon

    in Windows 10 Gaming
    Security Auditing ID: 4624/4672 Special Logon and Logon: Hello, Im constantly getting this audit success every 5-10 minutes. I need help on what this is, and how can I fix it, because it freezes my computer like hardlock and goes back to normal. Here is both events Views. First is Special Logon and Second is LogonSPECIAL...
  10. Security Auditing ID: 4624/4672 Special Logon and Logon

    in Windows 10 Software and Apps
    Security Auditing ID: 4624/4672 Special Logon and Logon: Hello, Im constantly getting this audit success every 5-10 minutes. I need help on what this is, and how can I fix it, because it freezes my computer like hardlock and goes back to normal. Here is both events Views. First is Special Logon and Second is LogonSPECIAL...