Analyze AzureAD SignIn Logs with PowerShell

Hi All,

I recently had a case where i needed to access the AzureAD Signin Logs with PowerShell.

I’ve started at the Azure AD Signin Logs and filtered by UPN

Next step was Graph Explorer where i found the needed Permissions

###############################################################################
# Graph Explorer
###############################################################################
#Go to [https://aka.ms/ge](https://aka.ms/ge)
https://graph.microsoft.com/v1.0/auditLogs/signIns
https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=startsWith(userPrincipalName,'a.bohren@icewolf.ch')

Let’s connect with these Permissions (they need Admin Consent and i already have that)

#Import-Module and Connect to Microsoft Graph
Import-Module Microsoft.Graph.Reports
Connect-MgGraph -Scope AuditLog.Read.All,Directory.Read.All

By default you only get 1000 Rows

#Get Signins
$Signins  = Get-MgAuditLogSignIn
$Signins.Count

Let’s check the Details of one Record

#Show Details of one Record
$Signins[0] | fl

Do we have SignIns where RiskState is set?

#List RiskState
$Signins | where {$_.RiskState -ne "none"}

By using a Filter you can search for UPN and with the “-All” Parameter you get all Records that match the Filter

###############################################################################
# Use query parameters to customize responses
# https://docs.microsoft.com/en-us/graph/query-parameters
###############################################################################
#Search for a specific User
$Signins  = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')" 
$Signins.Count
$Signins  = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')" -All
$Signins.Count

Now we filter for only successfull Logins, sort by date and use only the Attributes i am interested in

#List Details
$Signins | where {$_.ConditionalAccessStatus -eq "success"} | sort-Object CreatedDateTime -Descending | Format-Table UserPrincipalName, ClientAppUsed, AppDisplayName, ConditionalAccessStatus, CreatedDateTime

If you just need the last couple SignIns use this command

#Get latest 10 Signins for a specific User
$Signins  = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')" -Top 10 
$Signins | sort-Object CreatedDateTime -Descending | Format-Table UserPrincipalName, ClientAppUsed, AppDisplayName, ConditionalAccessStatus, CreatedDateTime

Hope that help you to get startet. Now you can create your own querys built on top of that.

Happy coding.

Regards
Andres Bohren