Is there a way in AzureAD to get last logins and what program they logged in with?

Question

Hello,
I am trying to get the last login of the users in my tenant as well as what service (Outlook / Sharepoint / etc) they used to log in.
I've ran a few scripts that give me results but nothing that I really need.

I am looking for a script (or a set of cmdlets) that would output me a CSV that would look something like this

Column A = UPN
Column B = Last Login
Column C = What they used to log in (Outlook / Sharepoint / Teams)

I'm wondering if there is a way directly in Azure AD to do this or if it is something I would need to run in Powershell?
Thank you very much in advance!

Answer 1

Hello, I got past the AzureAD error
But now I am getting this error

Get-AzureADAuditSignInLogs : Error occurred while executing GetAuditSignInLogs  
Code: UnknownError  
Message: Too Many Requests  
InnerError:  
  RequestId: 224647ce-a92e-46c4-b20a-525835e42c82  
  DateTimeStamp: Tue, 01 Nov 2022 19:41:14 GMT  
HttpStatusCode: 429  
HttpStatusDescription:  

My script looks like this (am I doing something wrong)?

$file = Import-Csv -Path "TEST-UPN-LIST.csv" -delimiter ","  
  
foreach ($user in $file) {  
    Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq '$User'" -Top 1 | `Export-csv -path .\Test.csv -Append -Encoding UTF8  
    select CreatedDateTime, UserPrincipalName, IsInteractive, AppDisplayName, IpAddress, TokenIssuerType, @{Name = 'DeviceOS'; Expression = {$_.DeviceDetail.OperatingSystem}}  
           
}  

Does this look right? Why would I be getting too many requests?
Is there any way around this?

Answer 2

Anyone have any ideas?
I'm at a bit of a loss.
If I'm going about this all wrong I'm open to any other suggestion / way of doing this

Basically, going back to my original post all I really want is to be able to have a script that will look at my CSV file that has my users in column A under the header UserPrincipalName and output it to a CSV file that has

Column A = Username
Column B = Last sign in date
Column C = What application they used

I'm really in need of some help here

Answer 3

Hello @Anthony ,

I was able to dig through this and found desired results. Kindly try the following script:

CLS; $StartDate = (Get-Date).AddDays(-2); $StartDate = Get-Date($StartDate) -format yyyy-MM-dd
Write-Host "Fetching data from Azure Active Directory..."
$Records = Get-AzureADAuditSignInLogs -Filter "createdDateTime gt $StartDate" -all:$True
$Report = [System.Collections.Generic.List[Object]]::new()
ForEach ($Rec in $Records) {
Switch ($Rec.Status.ErrorCode) {
"0" {$Status = "Success"}
default {$Status = $Rec.Status.FailureReason}
}
$ReportLine = [PSCustomObject] @{
TimeStamp = Get-Date($Rec.CreatedDateTime) -format g
User = $Rec.UserPrincipalName
Name = $Rec.UserDisplayName
IPAddress = $Rec.IpAddress
ClientApp = $Rec.ClientAppUsed
Device = $Rec.DeviceDetail.OperatingSystem
Location = $Rec.Location.City + ", " + $Rec.Location.State + ", " + $Rec.Location.CountryOrRegion
Appname = $Rec.AppDisplayName
Resource = $Rec.ResourceDisplayName
Status = $Status
Correlation = $Rec.CorrelationId
Interactive = $Rec.IsInteractive }
$Report.Add($ReportLine) }
Write-Host $Report.Count "sign-in audit records processed."
$Report| Format-Table -AutoSize
$Report |Export-Csv -Path 'SignReport2.csv'

The output in PS console would look like this:

The output in Excel would look like this:

Please do let me know if you have any queries in the comments section.

Thanks,
Akshay Kaushik

Please "Accept the answer" and "Upvote" if the suggestion works as per your business need. This will help us and others in the community as well.