Azure Guest user account last signin details

shashi kaushal 46 Reputation points
2021-01-14T21:04:43.72+00:00

I have a very specific question in regards Signin options in Azure active directory . I see that within signin options you get all the details about users who have logged in . i want to get details only about guest users who have logged in last 30 days and their last signin .

How can i get that ? is their any powershell script that i can execute

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,559 questions
0 comments
Accepted answer
  1. Marilee Turscak-MSFT 34,036 Reputation points Microsoft Employee
    2021-01-15T00:54:42.133+00:00

    Hi @shashi kaushal ,

    Francis Lacroix created a blog post detailing how to do this.

    He creates a runbook and queries all the guest users: 

    $guestUsers = Get-AzureADUser -Filter "UserType eq 'Guest' and AccountEnabled eq true"

    His particular script queries whether the guest has signed in in the last seven days, but you could change it up and set it to 30 days:

    You would just use 

    `$queryStartDateTime = (Get-Date).AddDays(-30)`

    His script also disables inactive users, but you could cut that out if that's not part of your goal. 

    # For each Guest user, validate there is a login in the last week  
foreach ($guestUser in $guestUsers) {  
  Write-Output "Getting User's logins for the last week"  
  $guestUserSignIns = Get-AzureADAuditSignInLogs -Filter "UserID eq '$($guestUser.ObjectID)' and createdDateTime ge $queryStartDateTimeFilter"  
  
  if ($guestUserSignIns -eq $null) {  
    Write-Output "No logins, blocking sign-in and sending email to manager"  
  
    # Block Sign-In  
    Set-AzureADUser -ObjectID $guestUser.ObjectID -AccountEnabled $false  
  
    # Get the manager  
    $manager = Get-AzureADUserManager -ObjectID $guestUser.ObjectID  
  
    # Format the subject and body  
    $targettedSubject = $subject -f $guestUser.DisplayName  
    $targettedBody = $body -f $guestUser.DisplayName  
    Send-MailMessage -To $manager.OtherMails[0] -Subject $targettedSubject -Body $targettedBody `  
      -From $fromAddress -SmtpServer $smtpServer -Credential $emailCredentials `  
      -Port 587 -UseSSL  
  }

    You can follow the steps in the blog post here.

    You can check for these in the audit and sign in logs, but as you mentioned there isn't a particular filter for guests. You could kind of filter in a hacky way by going to the audit logs, filtering on the activity, and specify "Redeem external user invite" to see when the users accepted the guest invitation. From there you could check their other audit logs (not great because it's multiple steps).

    I would also recommend leveraging access reviews if your ultimate plan is to make sure that guests have appropriate access: https://learn.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. shashi kaushal 46 Reputation points
    2021-01-16T20:38:56.9+00:00

    @MarileeTurscak @JamesTran-MSFT

    Thank you for providing this article. Actually i am not so good at powershell and so i am lost . I have configured an automation account and creating a runbook

    I can understand that from the below command ,we are getting the list of all guest user accounts and passing them to variable $guestusers

    $guestUsers=Get-AzureADUser -Filter "UserType eq 'Guest' and AccountEnabled eq true"

    $guestusers.displaname will give the names of the Guest users.

    Now in the below command what i understand is : he is taking one by one each guest user and do a check if he has logged in last 7 days , Am i correct on this ? I have only taken the below section closed the loop for . But i am not sure what changes that i need to make to the below script to get the names of the users who logged in last 7 days

    For each Guest user, validate there is a login in the last week

    foreach ($guestUser in $guestUsers) {
    Write-Output "Getting User's logins for the last week"
    $guestUserSignIns = Get-AzureADAuditSignInLogs -Filter "UserID eq '$($guestUser.ObjectID)' and createdDateTime ge $queryStartDateTimeFilter"

    }

  2. VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee
    2021-01-18T15:18:42.777+00:00

    @shashi kaushal I created one, it works in my lab, give it a try 

    Connect-AzureAD | Out-null  
$guest=get-AzureAduser -Filter "UserType eq 'guest' and AccountEnabled eq true"  
$ObjectIDs = $guest.objectId  
$queryStartDateTime = (Get-Date).AddDays(-7)  
$queryStartDateTimeFilter = '{0:yyyy-MM-dd}T{0:HH:mm:sszzz}' -f $queryStartDateTime  
  
$details=@()  
  
foreach ($object in $objectIDs)   
  
{  
     
    $login = Get-AzureADAuditSignInLogs -Filter "userID eq '$Object' and createdDateTime ge $queryStartDateTimeFilter"  
  
    
      foreach ($c in $Login)  
      {  
      #write-host "user" $c.UserdisplayName "is signed into" $c.Appdisplayname "at" $c.CreatedDateTime   
      $details+= New-Object psobject -Property @{  
        Username=$c.UserDisplayName  
        App=$c.AppDisplayName  
        LoginTime=$c.CreatedDateTime  
      }  
        
     }  
  
 }  
  
 Write-host "List of users with sigin details below, same is exported with file name output.csv to user profile doucments folder"  
 $details  
 $details | Export-Csv -path $env:userprofile\Documents\Output.csv -NoTypeInformation
  3. harsha 1 Reputation point
    2022-11-16T21:24:28.223+00:00

    et-AzureADAuditSignInLogs : Error occurred while executing GetAuditSignInLogs
    Code: UnknownError
    Message: Too Many Requests
    InnerError:
    RequestId: 10b5514f-5965-418c-8adb-814b587c6b48
    DateTimeStamp: Wed, 16 Nov 2022 21:21:44 GMT
    HttpStatusCode: 429
    HttpStatusDescription:
    HttpResponseStatus: Completed
    At line:13 char:15

    • ... $login = Get-AzureADAuditSignInLogs -Filter "userID eq '$Object' a ...
    • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : NotSpecified: (:) [Get-AzureADAuditSignInLogs], ApiException
    • FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.GetAuditSignInLogs

    Get-AzureADAuditSignInLogs : Error occurred while executing GetAuditSignInLogs
    Code: UnknownError
    Message: Too Many Requests
    InnerError:
    RequestId: c78d39e5-1e79-48c6-ba94-01bbd8d56d48
    DateTimeStamp: Wed, 16 Nov 2022 21:21:55 GMT
    HttpStatusCode: 429
    HttpStatusDescription:
    HttpResponseStatus: Completed
    At line:13 char:15

    • ... $login = Get-AzureADAuditSignInLogs -Filter "userID eq '$Object' a ...
    • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : NotSpecified: (:) [Get-AzureADAuditSignInLogs], ApiException
    • FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.GetAuditSignInLogs