Get-MgBetaAuditLogSignIn with filter signInEventTypes does not return all results

David Trevor 321 Reputation points
2023-08-02T13:36:48.6766667+00:00

In Azure Active Directory, one can check sign-in logs

I want to query the interactive user sign-ins via Powershell / via Graph.

I retrieve all events I can get and filter on a specific IP. I get 92308 results and verify that they are all of type "interactiveUser". The next query, I additionally include a filter on "interactiveUser". I should receive the same amount of events, however I receive only 3023, which is not even close to what I expected.

$IpFilter = '1.1.1.1'

$WithoutSignInType = Get-MgBetaAuditLogSignIn -All -Filter "(CreatedDateTime ge 2020-01-01T00:00Z) and (IPAddress eq $IpFilter)"
$WithoutSignInType | Group-Object SignInEventTypes
	Count Name
	----- ----
	92308 {interactiveUser}

$WithSignInType = Get-MgBetaAuditLogSignIn -All -Filter "signInEventTypes/any(t:t eq 'interactiveUser') and (CreatedDateTime ge 2020-01-01T00:00Z) and (IPAddress eq $IpFilter)"
$WithSignInType | Group-Object SignInEventTypes
	Count Name
	----- ----
	3023 {interactiveUser}
Windows for business | Windows Server | User experience | PowerShell
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
{count} votes

1 answer

Sort by: Most helpful
  1. David Trevor 321 Reputation points
    2023-11-06T06:19:45.0466667+00:00

    Resolved the issue by connecting to Graph with the following scopes:

    Connect-Graph -Scopes AuditLog.Read.All,Directory.Read.All

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.