Export Authentication Details from Azure Sign In Logs Via Powershell

Raffaele Guarna 1 Reputation point
2022-11-21T20:20:24.317+00:00

Hello, I am trying to export specific information from Azure AD PowerShell. I want to find all failed sign ins where the Authentication Method is Password and has a succeeded attribute of "true". Finding failed sign ins is no problem using this command:

Get-AzureADAuditSignInLogs -Filter "status/errorCode ne 0"

But I can't seem to find a way to filter on Authentication Method and Succeeded. The reason I want to do this is that our tenant has fairly high security (MFA, Conditional Access restricted by specific devices), yet we often get a large number of attempts to brute force accounts. If I can filter on all the failed sign in attempts with password succeeded true attribute, it would tell us if any of our staff has had their credentials compromised.

It seems like a relatively logical thing to ask for, but I can't seem to find any way to do it in the GUI or via Powershell. I have to drill down into every single failed sign in attempt to view those attributes, and with hundreds of thousands of attempts, that just isn't feasible to do it manually.

Many thanks if anyone can help me figure this one out. 262775-authentication-details.jpg

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,541 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Harpreet Singh Matharoo 8,221 Reputation points Microsoft Employee
    2022-11-24T03:51:08.317+00:00

    Hello @Raffaele Guarna

    Thank you for reaching out. I would like to inform you that Authentication details section or parameter within Azure AD Sign-In logs is multivalued property and hence information cannot be extracted directly using Azure AD PowerShell.

    You can try using Graph PowerShell and filter the logs using UPN and App and then expand Authentication details for them.

    Import-Module Microsoft.Graph.Reports  
    Connect-MgGraph   
    Select-MgProfile -Name beta  
    Get-MgAuditLogSignIn -Filter "startsWith(UserPrincipalName,'Harpreet')" | Select-Object -ExpandProperty AuthenticationDetails  
    Get-MgAuditLogSignIn -Filter "startsWith(UserPrincipalName,'Harpreet') and startsWith(appDisplayName,'Graph')" | Select-Object -ExpandProperty AuthenticationDetails  
    

    Below screenshot has few examples on how you can achieve them:
    263706-image.png

    I hope this helps and answers your question as well as resolves the query on hand.

    ----------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.