We have developed an application that currently uses wmi query (a notification query) to fetch the user logon events (user id, sid and ip address) from the Domain controller's Security logs. We look for Event Ids
4768, 4768 or 4771. The notification query gets the logon events whenever there is a logon event (almost every second).
How do we perform the same if it is an Azure AD ? Are there any APIs or any other mechanism to fetch the information ? Reports might give similar information, but is
there a way to do a query to reports to fetch the user id and ip address of logon events ? Will the ip address registered on Azure AD be same as that of the client's machine ? (usually private ip addresses and can get NAT over the internet).