Is there a way in AzureAD to get last logins and what program they logged in with?

Anthony 26 Reputation points
2022-10-28T18:58:26.563+00:00

Hello,
I am trying to get the last login of the users in my tenant as well as what service (Outlook / Sharepoint / etc) they used to log in.
I've ran a few scripts that give me results but nothing that I really need.

I am looking for a script (or a set of cmdlets) that would output me a CSV that would look something like this

Column A = UPN
Column B = Last Login
Column C = What they used to log in (Outlook / Sharepoint / Teams)

I'm wondering if there is a way directly in Azure AD to do this or if it is something I would need to run in Powershell?
Thank you very much in advance!

Windows for business | Windows Server | User experience | PowerShell
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. JimmySalian-2011 42,511 Reputation points
    2022-10-28T19:16:11.363+00:00

    Hi,

    You can explore the Get-AzureADSigninLogs CMDlet check out over here Get-AzureADAuditSignInLogs.md and here

    Hope this helps.
    JS

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  2. Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator
    2022-11-03T10:22:40.283+00:00

    Hello @Anthony ,

    I was able to dig through this and found desired results. Kindly try the following script:

    CLS; $StartDate = (Get-Date).AddDays(-2); $StartDate = Get-Date($StartDate) -format yyyy-MM-dd
    Write-Host "Fetching data from Azure Active Directory..."
    $Records = Get-AzureADAuditSignInLogs -Filter "createdDateTime gt $StartDate" -all:$True
    $Report = [System.Collections.Generic.List[Object]]::new()
    ForEach ($Rec in $Records) {
    Switch ($Rec.Status.ErrorCode) {
    "0" {$Status = "Success"}
    default {$Status = $Rec.Status.FailureReason}
    }
    $ReportLine = [PSCustomObject] @{
    TimeStamp = Get-Date($Rec.CreatedDateTime) -format g
    User = $Rec.UserPrincipalName
    Name = $Rec.UserDisplayName
    IPAddress = $Rec.IpAddress
    ClientApp = $Rec.ClientAppUsed
    Device = $Rec.DeviceDetail.OperatingSystem
    Location = $Rec.Location.City + ", " + $Rec.Location.State + ", " + $Rec.Location.CountryOrRegion
    Appname = $Rec.AppDisplayName
    Resource = $Rec.ResourceDisplayName
    Status = $Status
    Correlation = $Rec.CorrelationId
    Interactive = $Rec.IsInteractive }
    $Report.Add($ReportLine) }
    Write-Host $Report.Count "sign-in audit records processed."
    $Report| Format-Table -AutoSize
    $Report |Export-Csv -Path 'SignReport2.csv'

    The output in PS console would look like this:

    256735-image.png

    The output in Excel would look like this:

    256723-image.png

    Please do let me know if you have any queries in the comments section.

    Thanks,
    Akshay Kaushik

    Please "Accept the answer" and "Upvote" if the suggestion works as per your business need. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.