Analyze AzureAD SignIn Logs with PowerShell
Hi All,
I recently had a case where i needed to access the AzureAD Signin Logs with PowerShell.
I've started at the Azure AD Signin Logs and filtered by UPN
Next step was Graph Explorer where i found the needed Permissions
###############################################################################
# Graph Explorer
###############################################################################
#Go to https://aka.ms/ge
https://graph.microsoft.com/v1.0/auditLogs/signIns
https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=startsWith(userPrincipalName,'a.bohren@icewolf.ch')
# Graph Explorer
###############################################################################
#Go to https://aka.ms/ge
https://graph.microsoft.com/v1.0/auditLogs/signIns
https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=startsWith(userPrincipalName,'a.bohren@icewolf.ch')
Let's connect with these Permissions (they need Admin Consent and i already have that)
#Import-Module and Connect to Microsoft Graph
Import-Module Microsoft.Graph.Reports
Connect-MgGraph -Scope AuditLog.Read.All,Directory.Read.All
Import-Module Microsoft.Graph.Reports
Connect-MgGraph -Scope AuditLog.Read.All,Directory.Read.All
By default you only get 1000 Rows
#Get Signins
$Signins = Get-MgAuditLogSignIn
$Signins.Count
$Signins = Get-MgAuditLogSignIn
$Signins.Count
Let's check the Details of one Record
#Show Details of one Record
$Signins[0] | fl
$Signins[0] | fl
Do we have SignIns where RiskState is set?
#List RiskState
$Signins | where {$_.RiskState -ne "none"}
$Signins | where {$_.RiskState -ne "none"}
By using a Filter you can search for UPN and with the "-All" Parameter you get all Records that match the Filter
###############################################################################
# Use query parameters to customize responses
# https://docs.microsoft.com/en-us/graph/query-parameters
###############################################################################
# Use query parameters to customize responses
# https://docs.microsoft.com/en-us/graph/query-parameters
###############################################################################
#Search for a specific User
$Signins = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')"
$Signins.Count
$Signins = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')" -All
$Signins.Count
$Signins = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')"
$Signins.Count
$Signins = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')" -All
$Signins.Count
Now we filter for only successfull Logins, sort by date and use only the Attributes i am interested in
#List Details
$Signins | where {$_.ConditionalAccessStatus -eq "success"} | sort-Object CreatedDateTime -Descending | Format-Table UserPrincipalName, ClientAppUsed, AppDisplayName, ConditionalAccessStatus, CreatedDateTime
$Signins | where {$_.ConditionalAccessStatus -eq "success"} | sort-Object CreatedDateTime -Descending | Format-Table UserPrincipalName, ClientAppUsed, AppDisplayName, ConditionalAccessStatus, CreatedDateTime
If you just need the last couple SignIns use this command
#Get latest 10 Signins for a specific User
$Signins = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')" -Top 10
$Signins | sort-Object CreatedDateTime -Descending | Format-Table UserPrincipalName, ClientAppUsed, AppDisplayName, ConditionalAccessStatus, CreatedDateTime
$Signins = Get-MgAuditLogSignIn -Filter "startsWith(userPrincipalName,'a.bohren@icewolf.ch')" -Top 10
$Signins | sort-Object CreatedDateTime -Descending | Format-Table UserPrincipalName, ClientAppUsed, AppDisplayName, ConditionalAccessStatus, CreatedDateTime
Hope that help you to get startet. Now you can create your own querys built on top of that.
Happy coding.
Regards
Andres Bohren
