Resolved the issue by connecting to Graph with the following scopes:
Connect-Graph -Scopes AuditLog.Read.All,Directory.Read.All
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
In Azure Active Directory, one can check sign-in logs
I want to query the interactive user sign-ins via Powershell / via Graph.
I retrieve all events I can get and filter on a specific IP. I get 92308 results and verify that they are all of type "interactiveUser". The next query, I additionally include a filter on "interactiveUser". I should receive the same amount of events, however I receive only 3023, which is not even close to what I expected.
$IpFilter = '1.1.1.1'
$WithoutSignInType = Get-MgBetaAuditLogSignIn -All -Filter "(CreatedDateTime ge 2020-01-01T00:00Z) and (IPAddress eq $IpFilter)"
$WithoutSignInType | Group-Object SignInEventTypes
Count Name
----- ----
92308 {interactiveUser}
$WithSignInType = Get-MgBetaAuditLogSignIn -All -Filter "signInEventTypes/any(t:t eq 'interactiveUser') and (CreatedDateTime ge 2020-01-01T00:00Z) and (IPAddress eq $IpFilter)"
$WithSignInType | Group-Object SignInEventTypes
Count Name
----- ----
3023 {interactiveUser}
Resolved the issue by connecting to Graph with the following scopes:
Connect-Graph -Scopes AuditLog.Read.All,Directory.Read.All