Non-interactive sign-ins logs with PowerShell

PT Maliborski 226 Reputation points
2022-11-30T16:13:17.803+00:00

Hi Everyone,

Context:
Hybrid environment in the production/manufacturing area.
Around 250 (and growing) production employees get Azure AD online only account with F1 license and access to MS Teams only.
Initial authentication with conditional access (authenticator app + SMS/text message)

Request was made to check/monitor - monthly - how many employees actually logged on to MS Teams on their mobile phones.

Issue:

I can filter those employees as they have specific AAD group with group licensing - so I have the list of users.
Going through these accounts in the AAD portal I've noticed:

  • some employees never signed in;
  • those that signed in are only visible in the Non-interactive sign-in (I understand this is because they use MS Teams app - not a computer). Initial sign-in was with Authenticator app/SMS, but as logs are only kept for 30 days, those are not visible in Interactive sign-ins.

Help required:

I've tried using Get-AzureADAuditSignInLogs but that only works with Internactive sign-ins (I confirmed this with this week logs - AAD portal shows recent login but Get-AzureADAuditSignInLogs doesn't).
I don't really want to go through 250 users to check each for sign-in logs LOL

Maybe someone had such a case?
Ideally exporting those with PS would be nice but I can't find anything for Non-interactive sign-ins.

Or maybe there is some other solution I could use in that case?
Any help appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,436 questions
0 comments
Accepted answer
  1. JamesTran-MSFT 36,361 Reputation points Microsoft Employee
    2022-12-06T00:37:48.233+00:00

    @PT Maliborski
    Thank you for the detailed post and I apologize for the delayed response!

    Issue:

    • You have a requirement to check and monitor how many employees log into the Microsoft Teams App using their mobile phones on a monthly basis.
    • When using the Get-AzureADAuditSignInLogs PowerShell command, only interactive sign-ins are returned.

    When it comes to viewing the non-interactive sign-ins, you should be able to do this via the Microsoft Graph List signIns Beta API, or the Get-MgAuditLogSignIn PowerShell Graph Module.

    Microsoft Graph List signIns Beta API: 

    #Retrieve the first 10 sign-ins where the signInEventType is not interactiveUser starting with the latest sign-in  
GET https://graph.microsoft.com/beta/auditLogs/signins?&$filter=(signInEventTypes/any(t: t ne 'interactiveUser'))&$orderBy=createdDateTime DESC&$top=10

    Get-MgAuditLogSignIn: 

    Select-MgProfile -Name "beta"  
Connect-MgGraph -Scopes "AuditLog.Read.All","Directory.Read.All"  
Write-Host "Getting NonInteractive User Sign ins"  
Get-MgAuditLogSignIn -Filter "(signInEventTypes/any(t: t eq 'noninteractiveUser'))" -Sort "createdDateTime DESC"  
DisConnect-MgGraph

    Additional Links:
    Using MS Graph to get both interactive and non-interactive sign in events log - 3rd party article detailing other Graph Queries.
    MS Graph: Can Get-MgAuditLogSignIn get non interactive signins information - Within this thread, if you scroll to the answer provided by @mark daley , you'll find some more PS examples.

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest