NavaSolutions logoNavaSolutions
All articlesCybersecurity

20 Million Sign-Ins in 90 Days: What Microsoft 365 Monitoring Actually Catches

NavaSolutions Team · July 1, 2026

Over the last 90 days, across the businesses we monitor, our security platform analyzed nearly 20 million Microsoft 365 sign-in events. The overwhelming majority were ordinary, everyday logins. A small number were not — and those are the ones that matter. Here's the full picture, and why it matters for any business running Microsoft 365.

90 days of Microsoft 365 monitoring, by the numbers

Across 34 organizations and 3,948 users, here's what the last quarter looked like:

  • ~20 million Microsoft 365 sign-in events analyzed
  • 2,251 high- and critical-risk sign-ins flagged and investigated
  • 177 confirmed malicious — real account-takeover activity, not noise
  • 2,074 cleared as benign (92%) — triaged out so nobody wastes time chasing false alarms
  • 186 incidents opened, 166 resolved — with every flagged sign-in triaged, nothing left sitting in a queue

What these numbers actually mean

First, threats hide in volume. When your people sign in tens of thousands of times a day, the handful of malicious logins are invisible without something watching every one. The 177 we confirmed malicious — impossible-travel logins, sign-ins from known-bad IPs, suspicious password resets — would have gone unnoticed on an unmonitored tenant until the damage was already done.

Second, most alerts are noise — and handling that noise is the point. 92% of the high-risk sign-ins we flagged turned out to be benign once investigated. That's exactly why monitoring needs real triage: so your team isn't drowning in 2,251 alarms trying to find the 177 that actually matter.

Third, alerts only help if someone acts on them. We opened 186 security incidents and resolved 166, with every flagged sign-in reviewed and nothing left pending. An alert that sits unread is the same as no alert at all.

Here's the uncomfortable part

Every one of these numbers came out of Microsoft 365 logs that most businesses never look at. The evidence of a compromised account is almost always sitting right there in your sign-in and audit data — the problem is that nobody is reading it. If no one is watching your tenant, you won't know you've been breached until it's painfully obvious.

That's why we offer a free Microsoft 365 security review. We'll analyze 30 days of your own sign-in and audit activity — up to 25 users, read-only, no obligation — and show you exactly what's happening in your tenant. Get your free M365 review and see your own numbers.

Already dreading your next support ticket?

Get a free IT second opinion. We will review your current setup and show you — no obligation — exactly where your provider is leaving you exposed, overcharged, or waiting too long.