Table of contents
WorkSights captures Microsoft 365 login activity using secure audit signals generated whenever a user authenticates with their Microsoft account.
These events provide a lightweight indication of when real user-initiated authentications occur. WorkSights never accesses passwords or any application content.
What WorkSights Receives
WorkSights ingests Microsoft Unified Audit Log metadata for:
- Successful user sign-ins
- Sessions renewals or re-authentication events
- OAuth consent approvals that require authentication
The data delivered to WorkSights consists only of:
- Timestamp of the login
- Event type (login, re-authentication, OAuth grant)
- IP address and general location, when available
No message bodies, files, Teams content, or calendar data are ever contained in login audit records.
How Login Activity Appears in WorkSights
Login events appear as small green entries on the user’s timeline. They represent brief identity-related interactions, such as:
- Starting a new Microsoft 365 session
- Renewing authentication after a timeout
- Confirming identity when approving permissions
Each event is scored as a minimal-duration action, reflecting the short nature of login activity.
WorkSights filters background system signals so login entries reflect genuine user authentication, not automated Microsoft background operations.
How WorkSights Processes Login Signals
WorkSights processes login metadata in near real time:
- Audit events are ingested as Microsoft publishes them
- Duplicate or system-generated noise is removed
- Only user-attributable authentication events appear on the timeline
Because these signals reflect identity rather than work execution, they serve as contextual indicators and not productivity metrics.
Privacy and Security
WorkSights fully preserves privacy in handling login events. It never receives or stores passwords or authentication tokens.
Audit records do not contain message content, files, chat logs, or calendar material.
Data is read-only and delivered through Microsoft’s secure auditing pipeline.
Login events cannot reveal what a user did inside Microsoft 365 applications.
The integration surfaces only high-level authentication markers.
Data Notes
Login visibility depends on Microsoft’s Unified Audit Log being active for the tenant.
Login events appear only from the moment the Microsoft 365 integration is connected.
OAuth consent flows also generate login audit entries.
WorkSights cannot determine why a login occurred, only that the authentication happened.
Next Steps
For chat events, see Microsoft Teams – Chats.
For file activity, see Microsoft OneDrive and SharePoint Files.
For login events, see Microsoft Logins.
For connection steps, see Connecting Microsoft 365.
For a platform-level explanation, see Microsoft 365 Overview.