How to Manage Microsoft Entra sign-in logs with PowerShell

Microsoft Entra sign-in logs can be tricky to navigate, especially when from the Entra portal they can be accessed through the Users blade, Conditional Access blade, Monitoring Blade or exported to Log Analytics. Even then, the filtering capabilities available from the web portal are limited and will often return more results than you need, reducing readability. 

In this article, you will learn how to use Microsoft Graph PowerShell to manage Microsoft Entra sign-in logs using example filtering queries as part of the Microsoft Graph API.

For more in-depth detail on how filtering works in Microsoft Graph, check out my article:

Requirements

To manage the Microsoft Entra sign-in logs using Microsoft Graph PowerShell, we are going to use the Graph SDK beta modules. You will also need access to a Global Administrator account to consent to the AuditLog.Read.All Graph API permission.

For the steps to install the Microsoft Graph PowerShell Beta modules, follow my article ‘How To Install the Microsoft Graph PowerShell Module‘.

When you have met the requirements, connect to Microsoft Graph with the following command:

Connect-MgGraph -scopes AuditLog.Read.All

View all audit logs

To get a list of all audit logs within the default period of 30 days and output them to grid view so they are readable, use the following example:

Get-MgAuditLogSignIn -all | Out-GridView

Select only specific audit log properties

At first, it might seem like there is a lot of data being exported with each log, most of which you do not need to make an informed decision about the log. In the below example, the Select cmdlet is used so only specific properties are returned to the console, making your data easier to read.

$properties = @(
    "CreatedDateTime",
    "UserPrincipalName",
    "UserType",
    "SignInIdentifier",
    "SignInTokenProtectionStatus",
    "AppDisplayName",
    "AuthenticationRequirement",
    "ClientAppUsed",
    "ConditionalAccessStatus",
    "HomeTenantID",
    "IPAddress",
    "IncomingTokenType",
    "IsInteractive",
    "RiskLevelAggregated",
    "RiskLevelDuringSignIn",
    "UserAgent"
)


Get-MgAuditLogSignIn -all | Select $properties | Out-GridView

View audit logs by log type

Entra ID sign-in logs are made up of two different types of user logs, interactive and non-interactive. Interactive logs indicate a user interaction to sign in where a PRT or Refresh token is issued. Whereas non-interactive sign-in logs indicate a sign-in has been performed on behalf of a user without interaction, in this instance a refresh or primary refresh token is used to obtain an access token. 

Us the below example to filter for non-interactive sign-in logs only:

Get-MgBetaAuditLogSignIn -filter `
"signInEventTypes/any(t: t eq 'nonInteractiveUser')"" -All

To filter for only interactive sign-in logs, use the below example:

Get-MgBetaAuditLogSignIn -filter `
"signInEventTypes/any(t: t eq 'InteractiveUser')"" -All

View audit logs by date range

The best method to reduce the amount of data that is returned, and to limit your results to a specific date range is to use a filter against the date that the log was generated. Throughout the rest of this article, the filter parameter will be used to manage the Entra sign-in logs.

In this example below, a filter is used to only return logs after a specific date.

Get-MgAuditLogSignIn -filter "createdDateTime gt 2024-05-01" -All

Often, you may need to return to an earlier date, in this instance you should combine two filters to limit your results to between two specific dates.

Get-MgAuditLogSignIn `
-filter"createdDateTime gt 2024-04-28 and createdDateTime lt 2024-04-30" -All

Get audit logs for a specific user

Usually, when filtering sign-in logs, you will be searching for logs relating to a specific user in your organisation. To filter for logs which pertain to a specific user, use an equals operator against the UserPrincipalName property.

Get-MgAuditLogSignIn `
-Filter "UserPrincipalName eq '[email protected]'"

Get audit log login failures

In most cases, the Entra ID audit logs enable you to troubleshoot login failures and as such, it is beneficial to view only failures in the logs. To do so, you should filter for any logs with an error code which does not equal zero.

Get-MgAuditLogSignIn -Filter "status/errorCode ne 0"

Get audit logs by authentication method

For some sign-in log properties, filtering is not supported. This is true for the authenticationDetails and mfaDetails properties which can be used to deduce the MFA method used during sign-in. The alternative option is to use the Where function built into PowerShell. As this approach is not performance optimised you should combine this with one of the above filters to limit the results downloaded to your session.

Get-MgAuditLogSignIn | `
Where {$_.AuthenticationDetails.AuthenticationMethod -eq "External authentication method"}

Get audit logs by Operating System

During a device upgrade or migration, one of the simplest ways to determine if any legacy operating systems are still in use is to filter the sign-in logs for that operating system. For example, if you are migrating from Windows 10 to Windows 11, you can sanity check for completion if no sign-in logs are returned from Windows 10 devices anymore.

Get-MgAuditLogSignIn -Filter "deviceDetail/operatingSystem eq 'Windows10'" -All

Get audit logs by Country/Region

Conveniently the Entra ID sign-in logs provide detail of the location where each sign-in originates from. This information could be used to identify logins from unexpected locations or even whether users are using unauthorised VPN connections.

Get-MgAuditLogSignIn -Filter "location/countryOrRegion eq 'GB'" -All

Get audit logs by applied Conditional Access Policy

My favourite filter for Entra ID audit logs it to track the log in that are impacted by a specific Conditional Access policy. This filter could be used to assess the impact of a Conditional Access policy across your organisation.

Get-MgAuditLogSignIn -Filter "appliedConditionalAccessPolicies/any(s:s/id eq '8d857f6d-081a-49c2-b55f-422ef998a4c1')" 

How to combine multiple Microsoft Graph filters for Entra ID audit logs

To achieve the best results and the best performance while doing so, you should use a combination of the above exampled together in a single filter query. To do this, you just need to include ‘and‘ between each query.

In this below example, I am filtering Entra ID sign-in logs that target a specific Conditional Access policy and are between a specific date range.

$startdate = "2024-05-13"
$enddate = "2024-05-14"
$capolicy = "931f7222-41d2-4395-88dd-b1af08aee550"

Get-MgAuditLogSignIn -Filter "appliedConditionalAccessPolicies/any(x:x/id eq '$capolicy') and createdDateTime gt $startdate and createdDateTime lt $enddate"

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply