This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 42%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
I've been struggling with getting reliable data from the Get-AzureADAuditSignInLogs command. I'm using the V2.0.2.138 of the AzureADPreview module.
If I run Get-AzureADAuditSignInLogs -filter "userprincipalname eq 'someuser@keyman .com'" it returns data for some users but not others. But if I log into the Azure portal and look under "Sign-in logs" I can see the data for all users. Why is there inconsistency?
As another test I created an app registration, granted it all the required permissions for use with Graph, ran the below query and got the same results - for exactly the same users used with the Get-AzureADAuditSignInLogs command it would return data for some but not others.
"$GraphSignInLogs = "https://graph.microsoft.com/v1.0/auditLogs/signIns/?`$filter=userPrincipalName eq 'someuser@keyman .com'"
(Invoke-RestMethod -Headers @{Authorization = "Bearer $($token)"} -Uri $GraphSignInLogs -Method Get).value
So you have to use "startsWith" instead of "eq". How ridiculous is that! Thank you so much for helping with this @M GA as it's been doing my head.
And Microsoft, thanks for nothing. I can't believe how poorly developed a lot of the AzureAD Powershell is.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@CraigBrown-4765 Thank you for reaching out to us. As I understand you are trying fetch the Azure AD Signin Logs using this Get-AzureADAuditSignInLogs -filter "userprincipalname eq 'someuser@keyman .com'".
Instead of this command, would request you to try this Get-AzureADAuditSignInLogs | where-object -property userPrincipalName -eq 'someuser@keyman .com'
Let me if you have any further questions.
Makes no difference.
@CraigBrown-4765 I see you are using the V2.0.2.138 of the AzureADPreview module, where as I see there is a latest of the module AzureADPreview available ( https://www.powershellgallery.com/packages/AzureADPreview/2.0.2.149 ).
Would request you to update the module and execute the same command and verify the results.
Also wanted to check if you have explored Graph Explorer to retrieve the sign in logs - https://learn.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-1.0&tabs=http
Let me know if these steps help or we can connect offline to discuss further on the same.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there,
Is Get-AzureADAuditDirectoryLogs returning any values?
As per the reports find online -All $true parameter is not working for cmdlet Get-AzureADAuditSignInLogs as expected.
To resolve it, you can try upgrading to AzureADPreview v2.0.2.149.
The below thread discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.
https://github.com/Azure/azure-docs-powershell-azuread/issues/337
Hope this resolves your Query !!
-----------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer--
Sorry for not responding before now but I was busy with other projects.
Anyway, I updated the AzureAD modules and I still see the same problem. Below is the code I'm running. It loops through all the users in the Global Admin group and tries to retrieve the most recent record from the sign-in logs. It works (for the most part) for cloud only accounts but when it gets to a federated account it doesn't return anything. But if I logon to the Azure portal and look for sign-in logs for the same federated accounts I can see there are loads of entries.
$adminUsers = Get-AzureADDirectoryRoleMember -ObjectId XXXXXXXXXXXXXXXXXXXXXX
foreach ($adminUser in $adminUsers) {
$upn = $adminUser.UserPrincipalName
write-host "Getting signin info for $upn" -ForegroundColor Green
Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq '$upn'" -Top 1 | select CreatedDateTime, UserPrincipalName, IsInteractive, AppDisplayName, IpAddress, TokenIssuerType, @{Name = 'DeviceOS'; Expression = {$_.DeviceDetail.OperatingSystem}}
}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 7.000000000000001%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
This is also BROKEN for me, yet another piece of Microsoft Code that doesn't work out of the box on their published cmdlet pages
PS C:\Scripts\Get-AzureADAuditSignInLogs -Filter "userDisplayName eq 'Timothy Perkins'"
Get-AzureADAuditSignInLogs : Method not found: 'Boolean Microsoft.Open.Azure.AD.CommonLibrary.RestSharpExtensionMethods.IsSuccessful(RestSharp.IRestResponse)'.
At line:1 char:1
+ Get-AzureADAuditSignInLogs -Filter "userDisplayName eq 'Timothy Perki ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureADAuditSignInLogs], MissingMethodException
+ FullyQualifiedErrorId : System.MissingMethodException,Microsoft.Open.MSGraphBeta.PowerShell.GetAuditSignInLogs
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 37%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
@Broonster
Hello, I was battling with this issue as well and found this worked for me:
$StartDate = (Get-Date).Adddays(-31)
$xEmail = "******@x.com"
$AllUserSigninsDuringLast30Days = Get-AzureADAuditSignInLogs -Filter "startsWith(userPrincipalName ,'$($xEmail)') and createdDateTime gt $StartDate"|Where{$_.IsInteractive -eq $TRUE}
$Success = $AllUserSigninsDuringLast30Days |Where{$.status.errorcode -eq 0}
$Failures = $AllUserSigninsDuringLast30Days |Where{$.status.errorcode -ne 0}
$Success.count
$Failures.count
Multiple filter statements, including variables was the complicating factor for me and I didn't have success adding the IsInteractive in the filter, so used Where{} to filter results.
My goal was just to see if they were actually authenticating during the last approximate 30 days as I was creating users and some had already been provisioned, not knowing if they had logged on or not.
If no interactive login activity, the user could be provisioned, and if already existed in AD, but never logged in, password could be changed.
Good Luck.
I tried to format the code block to show the $.status (dollare underscore dot status), but it's not changing. Please adjust the code so it uses $.status.errorcode (dollar underscore dot status dot errorcode)