To check ADFS (Active Directory Federation Services) sign-in events, you primarily use Event Viewer on the ADFS server. Here’s a step-by-step guide:
🛠️ Steps to Check ADFS Sign-In Events via Event Viewer:
✅ 1. Open Event Viewer
- Log in to your ADFS server.
- Press
Win + R, typeeventvwr, and pressEnter.
✅ 2. Navigate to the ADFS Log Path
In the Event Viewer, go to:
Applications and Services Logs
└── AD FS
└── Admin
You can also check:
Applications and Services Logs
└── AD FS
└── Tracing
└── Debug (only if tracing is enabled)
✅ 3. Look for Sign-In Events
Common Event IDs related to sign-ins:
| Event ID | Description |
|---|---|
| 1200 | ADFS received a request for a token |
| 1202 | Token successfully issued |
| 364 | ADFS error occurred (common for failed sign-ins) |
| 411 | A user was authenticated successfully |
| 510 | User sign-in failed |
| 342 | Claims issuance failure |
🔍 4. Filter Events for Quick Search
- Right-click on Admin log →
Filter Current Log... - Use Event ID field to filter by IDs like:
364, 411, 1200, 1202, 510.
✅ 5. Optional: Enable Auditing for Detailed Logs
If you’re not seeing the logs, you may need to enable auditing:
- Open Group Policy Management → Edit the appropriate GPO or
Local Security Policy. - Navigate to:
Computer Configuration └── Windows Settings └── Security Settings └── Advanced Audit Policy Configuration └── Audit Policies └── Logon/Logoff - Enable:
- Audit Logon Events
- Audit Account Logon Events
- Audit Authentication Policy Change
Then run:
gpupdate /force
📘 Helpful Tip:
For modern ADFS logs and easier analysis, you can use Azure AD Sign-in Logs (if federated), or tools like:
- ADFS Diagnostics Tool (ADFS Rapid Restore Tool)
- PowerShell (
Get-AdfsEvent,Get-AdfsAccountActivity)