SOC 2 Evidence from Azure AD Sign-In Logs

Why this matters for SOC 2

SOC 2’s Common Criteria (CC6 series) center on logical access controls — who can authenticate, under what conditions, and how anomalies are detected and responded to. Azure AD sign-in logs are usually the single richest evidence source an auditor will ask for, because they capture authentication outcome, MFA status, conditional access evaluation, and device trust in one place.

What evidence Azure AD sign-in logs provide

• Proof that MFA is actually enforced for in-scope users, not just configured as a policy
• A complete record of failed authentication attempts, supporting evidence that access controls are monitored (CC6.1)
• Conditional Access policy evaluation outcomes, demonstrating that access decisions are conditioned on risk signals, not just a password (CC6.6)
• A timestamped record of any detected anomalies (impossible travel, risky sign-ins) and whether they were investigated (CC7.3)

How LogTriage maps this to SOC 2 controls

LogTriage’s compliance mapper ties detected patterns and MITRE ATT&CK tactics directly to specific SOC 2 control IDs — a credential-stuffing or brute-force detection maps to CC6.1 (Logical and Physical Access Controls), evidence of monitoring response maps to CC7.3 (Evaluation and Communication of Security Threats), and the mapping is stamped onto every report automatically, with a note on what evidence to retain for the auditor.

Evidence checklist

• Export sign-in logs covering the full audit period, not just the incident window
• Document MFA enrollment percentage for in-scope users and any exceptions
• Retain records of every detected anomaly and the corresponding investigation/response
• Confirm Conditional Access policies are version-controlled or change-logged, so auditors can see policy history, not just current state
• Map each control to a specific, retrievable piece of evidence — “we have logs” is not sufficient; “here is the log entry for control CC6.1” is