Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Azure and Microsoft 365 / Checking User Sign-in Logs in Entra ID (Microsoft 365)

March 15, 2024

Checking User Sign-in Logs in Entra ID (Microsoft 365)

In this article, we’ll show you how to get the last login date and sign-in activity of your Azure Active Directory users, export and analyze Azure sign-in and audit logs in your Microsoft tenant using PowerShell (with the AzureADPreview module or Microsoft Graph API).

The easiest way to view user activity logs is to use the Azure portal. Open https://portal.azure.com -> Azure AD -> Users -> select a user -> Sign-in logs. User logon history is shown in the following table.

user sign-in and activity reports in Azure portal

You can get the user’s last logon date, the operating system on a user device, location, user-agent, etc. You can configure filters by different parameters, add/remove columns, or export data to a CSV file.

However, if you want to get the sign-in activity for multiple or all users, you will have to use PowerShell. There are two ways of getting access to user sign-in logs in Azure.

Contents:
  • How to Get User Login History in Azure AD Using Microsoft Graph API?
  • Export Azure AD User Sign-in Logs Using the Get-AzureADAuditSignInLogs Cmdlet

How to Get User Login History in Azure AD Using Microsoft Graph API?

Let’s try to get user sign-in logs using Microsoft Graph API. Connect to your Azure tenant using Microsoft Graph API.

Grant the following API permissions to your Azure application that you are using to connect through the Microsoft Graph API: AuditLog.Read.All and Directory.Read.All.
AuditLog.Read.All permissions graph api

$ApplicationID = "4434ad23-b212-3212-3aad-54321de3bbc"
$TenatDomainName = "26216542-aaaa-bbbb-2212-65566aa6c32"
$AccessSecret="12-32Bh654321d3-seLa23l33p.hhj33MM21aaf"
$Body = @{
Grant_Type    = "client_credentials"
Scope         = "https://graph.microsoft.com/.default"
client_Id     = $ApplicationID
Client_Secret = $AccessSecret
}
$ConnectGraph = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenatDomainName/oauth2/v2.0/token" -Method POST -Body $Body
$token = $ConnectGraph.access_token

After receiving a token, you can connect to the REST API to get information about user sign-in activity:

$GraphSignInLogs = "https://graph.microsoft.com/v1.0/auditLogs/signIns"
(Invoke-RestMethod -Headers @{Authorization = "Bearer $($token)"} -Uri $GraphSignInLogs  -Method Get).value

Make sure that you can get data about user authentication events in Azure:

Accessing Azure AD logs with the Microsoft Graph API

Note that the Microsoft Graph API can return up to 1,000 objects at a time. You can use paging to paginate the results and process multiple objects in a loop using @odata.nextLink.

You can use the Azure Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer) to select the names of columns (object attributes) you want to see in the user login history report. For example, I want to see the information about a user, operating system, Azure/Microsoft 365 app used for connection and location in the report (these are the following columns: userDisplayName, userPrincipalName, appDisplayName, location, ipAddress, clientAppUsed, deviceDetail, createdDateTime).

In this example, I want to get an Azure user activity report for the last 90 days:

$SetDate = (Get-Date).AddDays(-90)
$SetDate = Get-Date($SetDate) -format yyyy-MM-dd
$GraphSignInLogs  = "https://graph.microsoft.com/v1.0/auditLogs/signIns"
$result = (Invoke-RestMethod -Headers @{Authorization = "Bearer $($token)"} -Uri $GraphSignInLogs  -Method Get).value | Select-Object userDisplayName, userPrincipalName, appDisplayName, ipAddress, clientAppUsed, deviceDetail, location,createdDateTime | Where-Object {$_.createdDateTime -gt $SetDate }
$alluserhistory = @()
foreach ($resitem in $result){
$userhistory = New-Object PSObject -Property @{
User=$resitem.userDisplayName
UPN=$resitem.userPrincipalName
AzureAppUsed =$resitem.appDisplayName
UserApp =$resitem.clientAppUsed
IP=$resitem.ipAddress
Date=$resitem.createdDateTime
OS=($resitem.deviceDetail).operatingSystem
browser=($resitem.deviceDetail).browser
City=($resitem.location).city
Country=($resitem.location).countryOrRegion
}
$alluserhistory += $userhistory
}

To export the result to a CSV file, run the command below:

$alluserhistory| Export-Csv "C:\PS\azure_signin_logs.csv" –NoTypeInformation

The CSV file contains information about all user activities: what devices and locations they logged on from, what Microsoft apps they used. You can add any other fields if necessary.

Analyzing Azure Active Directory Sign-In Logs in Excel

To get the last logon date for every AAD user in the list, run this command:

$alluserhistory| Group-Object UPN |%{ $_.Group | Select UPN,Date -First 1}

List Azure users' last login date with PowerShell

You can find all inactive Azure users for the specified period of time. To do it, get a full list of user UserPrincipalNames (UPNs) in Azure using Graph API and compare it with the list of users authenticated in Azure for the last 90 days you generated earlier.
$GrapUserUrl = 'https://graph.microsoft.com/v1.0/users'
$allusers=(Invoke-RestMethod -Headers @{Authorization = "Bearer $($token)"} -Uri $GrapUserUrl -Method Get).value
$allusers = $allusers | Select-Object @{Name="UPN"; Expression = {$_.userprincipalname.ToLower()}}
$activeusers = $alluserhistory|select UPN –Unique

Then you just have to compare the two lists. Thus, using a PowerShell script you can find inactive users and remove unused Microsoft 365/Azure AD licenses.

Export Azure AD User Sign-in Logs Using the Get-AzureADAuditSignInLogs Cmdlet

You can use the Get-AzureADAuditSignInLogs cmdlet from the AzureADPreview PowerShell module to get and export Azure AD/ Microsoft 365 sign-in audit logs. For some reason, there is no such cmdlet in the latest AzureAD for PowerShell module (apparently, Microsoft thinks that the Graph API is enough for us).

Install the AzureADPreview module to your computer:
Install-Module AzureADPreview –AllowClobber

Connect to your Azure tenant using AzureADPreview:

AzureADPreview\Connect-AzureAD

The following command will return information about the last 10 user sign-in events to Azure and Microsoft 365 apps:

Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq '[email protected]'" -Top 10 | select CreatedDateTime, UserPrincipalName, IsInteractive, AppDisplayName, IpAddress, TokenIssuerType, @{Name = 'DeviceOS'; Expression = {$_.DeviceDetail.OperatingSystem}}|ft

Get-AzureADAuditSignInLogs PowerShell cmdlet allows to get an Azure Active Directory sign logs

You can display statistics on user logins to Azure for the last 3 days and export them to a CSV file:

$SetDate = (Get-Date).AddDays(-3);
$SetDate = Get-Date($SetDate) -format yyyy-MM-dd
$array = Get-AzureADAuditSignInLogs -Filter "createdDateTime gt $SetDate" | select userDisplayName, userPrincipalName, appDisplayName, ipAddress, clientAppUsed, @{Name = 'DeviceOS'; Expression = {$_.DeviceDetail.OperatingSystem}},@{Name = 'Location'; Expression = {$_.Location.City}}
$array | Export-Csv "C:\PS\AzureUserSigninLogs.csv" –NoTypeInformation

excel azure user activity report

You can collect user login history data for the on-premises Active Directory domain from domain controller security logs.
12 comments
6
Facebook Twitter Google + Pinterest
Azure and Microsoft 365PowerShell
previous post
How to Sign an Unsigned Device Driver in Windows
next post
Install and Manage Windows Updates with PowerShell (PSWindowsUpdate)

Related Reading

Outlook Keeps Asking for Password on Windows

March 17, 2024

How to Increase Attachment Size Limit in Outlook

March 15, 2024

Get a List of Mailboxes a User Has...

March 15, 2024

How to Manually Configure Exchange or Microsoft 365...

March 17, 2024

Configuring UserPrincipalName and UPN Suffixes in Active Directory

March 11, 2024

Fix: Microsoft Outlook Search Not Working on Windows...

March 17, 2024

How to Disable Microsoft Teams Auto Startup

March 12, 2024

How to Send a Message to Teams Channel...

March 13, 2024

12 comments

Lee March 17, 2022 - 9:08 pm

Excellent article; easy to follow as well!

Reply
Sandie April 8, 2022 - 5:12 pm

‘Get-AzureADAuditSignInLogs’ is not recognized as the name of a cmdlet

Reply
admin April 15, 2022 - 11:38 am

Did you install the AzureADPreview module?
Install-Module AzureADPreview –AllowClobber

Reply
slmadmin October 11, 2022 - 2:32 am

Different person answering, but yes, it is installed – v2..0.2.149
Also I get an error:
Invoke-RestMethod : The remote server returned an error: (403) Forbidden.
At line:1 char:2
+ (Invoke-RestMethod -Headers @{Authorization = “Bearer $($token)”} -Ur …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebExc
eption
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

Reply
admin October 16, 2022 - 6:06 am

Have you created a new Azure AD ( App registration) in your tenant, granted the API permissions to your Azure app, and replaced the values of the following variables in the script?
$ApplicationID
$TenatDomainName
$AccessSecret

Reply
Carric September 4, 2023 - 5:25 pm

Note – I was getting this when trying to use Powershell in the terminal.. I had to go to the launch button, type in powershell, then launch it from there.. There was an error about powershell core vs powershell desktop. HOURS of troubleshooting wasted on the powershell “blind grope”

Mike November 30, 2022 - 12:09 am

is there a way to get the Device name (laptop name)? for a history of who logged into that device?

Reply
Kelli Page January 4, 2023 - 1:25 am

Is there a way to get more than 30 days of login data? I have not found a way yet.

Reply
Mohsin January 31, 2023 - 4:40 am

Let me know if you find a way, i’m looking for same

Reply
Carric September 4, 2023 - 5:23 pm

Most M365 and supposedly E3 default to 30 days retention. E5 defaults to 90. That may be your issue.
I have seen some subscriptions with no Azure subscription only allow for 7 days.

Reply
Shane September 5, 2023 - 9:41 pm

Thank you!
I had a few questions.
Is it possible to change the CreatedDateTime Timezone from UTC?
Is it possible to split the Date and Time into it’s on columns on the export?

Reply
Mongoose December 11, 2023 - 8:59 pm

I will never understand why Microsoft has taken the path of most resistance with respect to some data. The Get-AzureADAuditSignInLogs is extremely cumbersome to use. Even if you get it to work, my understanding is it only returns data from the past 30 days. It returns a value called CreatedDateTime, which I would assume from the name refers to the time the account was created. However, the date is always today and users are listed multiple times. This is useless when attempting to determine what accounts are no longer actively used. Fortunately, I can use Get-ADUser to retrieve all the information I want exactly as I want it using a single command. Thank God we are a hybrid organization. I pity anybody who has a cloud only environment.

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Configuring Windows Protected Print Mode (WPP)

    May 19, 2025
  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Outlook Keeps Asking for Password on Windows
  • How to Manually Configure Exchange or Microsoft 365 Account in Outlook 365/2019/2016
  • Search and Delete Emails from User Mailboxes on Exchange Server (Microsoft 365) with PowerShell
  • Configuring Password Policy in Microsoft Entra ID
  • Fix: Microsoft Outlook Search Not Working on Windows 10/11
  • Blank Sign-in Screen in Office 365 Apps (Outlook, Teams, etc.)
  • Removing Built-in Teams Chat in Windows 11
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top