Entra ID OIDC Failed Auth Attempt Logs
I have an Azure Entra ID OIDC app. It's configured with a client secret for machine-to-machine auth using grant_type=client_credentials.
I would like to find logs in Azure for failed OIDC login attempts (e.g. requests to https://login.microsoftonline.com/mytenant/oauth2/token that have the wrong client_id field). Note that I want to see logs for all failed attempts to my tenant, not just logs for attempts that have valid client_id fields.
I cannot seem to find such logs for failed OIDC token attempts anywhere in the console. The Sign-In Logs doesn't show any failed attempts, nor does the Audit Logs section under Entra ID (even after I made several failed attempts myself).
Where can I find these logs?
Note: Invalid
client_idfailures do not appear in the Azure AD Sign-In Logs because these requests are often rejected at the point of client ID validation, before the system even attempts to authenticate.
- When an OAuth2 client credentials flow request is made (such as when requesting an access token via the
client_credentialsgrant type), theclient_idis the first piece of information that Azure AD checks. - If the
client_idis invalid (i.e., it doesn't match any registered application in Azure AD), Azure AD usually doesn't process the authentication request further. The request is effectively rejected before it even gets to the point of secret verification or token generation.
For sample, If the client_id is valid but the client_secret is incorrect, the request proceeds further in the authentication flow (after validating the client_id), and the failure is logged in the Sign-In Logs with an error like invalid_client_secret.
Hence Azure AD will not log invalid client_id failures explicitly, as it is considered an error that occurs before authentication actually takes place.
- The Sign-In Logs are focused on capturing authentication-related events that involve the full OAuth2 flow, including issues like invalid secrets, tokens, or grants, rather than early errors like an unrecognized
client_id
I tried to generate access token by passing the wrong client secret:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
grant_type : client_credentials
client_id : ClientID
client_secret : Secret
scope : https://graph.microsoft.com/.default
This invalid secret failure log is captured under the Sign-in logs of Service principal sign-ins:
But Now I tried to pass the invalid client ID, there is no log captured:
- In an Azure App Service, how do I allow DefaultAzureCredential to get bearer token from App Registration (Enterprise Application)?
- Powershell performance degraded when importing Az modules
- How to construct the hashed token signature for Azure Cosmos DB REST API to list users?
- How to make CosmosDB work with an Azure Web App
- AADSTS50011: The redirect URI specified in the request does not match the redirect URIs configured for the app
- Stopping or Disabling a resource group in Azure
- Why I got an error request every 5 minutes in an Azure App Service
- I have try to create event in microsoft outlook calendar but coming error Access token validation failure. Invalid audience
- FQDN on Azure Virtual Machine
- azurerm - Terraform not behaving as expected
- How to get all possible AppServicePlan configurations from an Azure subscription?
- How to register your Azure resource as an Application in Azure Active Directory?
- How to Compare Variables in the Azure Library-Variable Group
- azure ai studio - indexing problem (ai search)
- The template output 'ctrName' is not valid: The language expression property array index '4' is out of bounds
- Microsoft Graph API: Create subscription - Exception: [Status Code: Unauthorized] [Go]
- After Upgrade Azure Function .Net 8 - How to handle Dependecy Injection from Startup.cs?
- How does using a proxy between frontend and backend improve security?
- How to verify JWT id_token produced by MS Azure AD?
- Azure Video Indexer API: "USER_NOT_ALLOWED" Error When Checking Blurring Job Status After Completion of Bluring
- Azure arm64 VM sku with nested virtualization
- Set ouput of GitHub action workflow after using azure/login@v2 step
- Redirect service (302) in Azure, best possible approach?
- Why the redirect uri has no fragment parameters on the first try?
- Trying to get Azure AI to work with Nuxt 3
- How do I pull the last modified file with data flow in Azure Data Factory?
- Pass AzureML job's name to pipeline
- Using the Microsoft Graph API to load files from Sharepoint into Databricks
- Databricks Numeric Type comparsion (Int vs Double)
- Azure Synapse time out - Token expire