Is there a way in AzureAD to get last logins and what program they logged in with?

Anthony 21 Reputation points
2022-10-28T18:58:26.563+00:00

Hello,
I am trying to get the last login of the users in my tenant as well as what service (Outlook / Sharepoint / etc) they used to log in.
I've ran a few scripts that give me results but nothing that I really need.

I am looking for a script (or a set of cmdlets) that would output me a CSV that would look something like this

Column A = UPN
Column B = Last Login
Column C = What they used to log in (Outlook / Sharepoint / Teams)

I'm wondering if there is a way directly in Azure AD to do this or if it is something I would need to run in Powershell?
Thank you very much in advance!

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,432 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,135 questions
0 comments No comments
{count} votes

8 answers

Sort by: Most helpful
  1. JimmySalian-2011 41,961 Reputation points
    2022-10-28T19:16:11.363+00:00

    Hi,

    You can explore the Get-AzureADSigninLogs CMDlet check out over here Get-AzureADAuditSignInLogs.md and here

    Hope this helps.
    JS

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Anthony 21 Reputation points
    2022-10-28T23:24:53.967+00:00

    I am going to have a look at this tonight and do a few tests.
    If I need help I will surely post back.
    Thanks again! :)

    0 comments No comments

  3. Anthony 21 Reputation points
    2022-10-29T20:38:41.21+00:00

    Hello again,
    I reviewed the docs and I'm fairly certain I have everything OK in terms of the script but I cannot get a cmdlet to work. I'm a little unsure why I am pretty sure I installed the correct modules.

    I keep getting the below error.

        Get-AzureADAuditSignInLogs : The term 'Get-AzureADAuditSignInLogs' is not recognized as the name of a cmdlet,  
        function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the  
        path is correct and try again.  
    

    I tried using this to bypass the error

    Install-Module AzureADPreview -AllowClobber -Force  
      
    and  
      
    Install-Module AzureADPreview  
    

    Nothing works I'm a bit lost.

    This is my script, my column A has the header UserPrincipalName

        $file = Import-Csv -Path "My_file_with_usernames.csv" -delimiter ","  
           
        foreach ($employee in $file) {  
            Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq '$User'" -Top 1 | `  
            select CreatedDateTime, UserPrincipalName, IsInteractive, AppDisplayName, IpAddress, TokenIssuerType, @{Name = 'DeviceOS'; Expression = {$_.DeviceDetail.OperatingSystem}}  
          
                #write data to file  
                $userData += $OutputData;  
                $userData | Export-csv -path C:\Path-to-my-CSV -Append -Encoding UTF8  
          
               }  
    

    The purpose of this script is to go take everyone from Column A in my CSV (UserPrincipalName) and get the following info

    Lastlogindate
    Interactive login or not
    What IP they are logging in from
    What application they logged in from
    OS

    Does this look correct? Thank you VERY much again!


  4. Anthony 21 Reputation points
    2022-10-31T15:40:08.717+00:00

    Hello,
    I ran the line
    Import-Module AzureADPreview
    But I still get the same issue

    Get-AzureADAuditSignInLogs : The term 'Get-AzureADAuditSignInLogs' is not recognized as the name of a cmdlet

    Any ideas?
    Is there any other way of getting this kind of output without using Get-AzureADAuditSignInLogs cmdlet?

    I'm at a bit of a loss

    I also tried this with no success

    AzureADPreview\Connect-AzureAD


  5. Anthony 21 Reputation points
    2022-10-31T17:29:35.077+00:00

    I think I might have found the issue but I don't know how to correct it
    When I run
    Get-Module AzureADPreview
    It does not return any version
    But when I run
    Install-Module AzureADPreview
    It just skips to the next line

    I'm running these commands on a powershell that has administrative rights

    When I run the installer with the verbose command I get the following (Install-module AzureADPreview -Verbose)

    VERBOSE: Using the provider 'PowerShellGet' for searching packages.  
    VERBOSE: The -Repository parameter was not specified.  PowerShellGet will use all of the registered repositories.  
    VERBOSE: Getting the provider object for the PackageManagement Provider 'NuGet'.  
    VERBOSE: The specified Location is 'https://www.powershellgallery.com/api/v2' and PackageManagementProvider is 'NuGet'.  
    VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureADPreview'' for ''.  
    VERBOSE: Total package yield:'1' for the specified package 'AzureADPreview'.  
    VERBOSE: Skipping installed module AzureADPreview 2.0.2.149.  
    

    Just for reference here is my PSversion

    Name                           Value  
    ----                           -----  
    PSVersion                      5.1.22000.832  
    PSEdition                      Desktop  
    PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}  
    BuildVersion                   10.0.22000.832  
    CLRVersion                     4.0.30319.42000  
    WSManStackVersion              3.0  
    PSRemotingProtocolVersion      2.3  
    SerializationVersion           1.1.0.1  
    

    I also have PS V7 installed on my machine and when I run the command rom PS7 I get the following output

    Untrusted repository  
    You are installing the modules from an untrusted repository. If you trust this repository, change its  
    InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from  
    'PSGallery'?  
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): a  
    VERBOSE: The installation scope is specified to be 'CurrentUser'.  
    VERBOSE: The specified module will be installed in 'C:\Users\Me\Documents\PowerShell\Modules'.  
    VERBOSE: Version '2.0.2.149' of module 'AzureADPreview' is already installed at 'C:\Program Files\WindowsPowerShell\Modules\AzureADPreview\2.0.2.149'.  
    
    
    Name                           Value  
    ----                           -----  
    PSVersion                      7.2.7  
    PSEdition                      Core  
    GitCommitId                    7.2.7  
    OS                             Microsoft Windows 10.0.22000  
    Platform                       Win32NT  
    PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}  
    PSRemotingProtocolVersion      2.3  
    SerializationVersion           1.1.0.1  
    WSManStackVersion              3.0  
    

    Thanks!

    0 comments No comments