Export Authentication Details from Azure Sign In Logs Via Powershell

Raffaele Guarna 1 Reputation point
2022-11-21T20:20:24.317+00:00

Hello, I am trying to export specific information from Azure AD PowerShell. I want to find all failed sign ins where the Authentication Method is Password and has a succeeded attribute of "true". Finding failed sign ins is no problem using this command:

Get-AzureADAuditSignInLogs -Filter "status/errorCode ne 0"

But I can't seem to find a way to filter on Authentication Method and Succeeded. The reason I want to do this is that our tenant has fairly high security (MFA, Conditional Access restricted by specific devices), yet we often get a large number of attempts to brute force accounts. If I can filter on all the failed sign in attempts with password succeeded true attribute, it would tell us if any of our staff has had their credentials compromised.

It seems like a relatively logical thing to ask for, but I can't seem to find any way to do it in the GUI or via Powershell. I have to drill down into every single failed sign in attempt to view those attributes, and with hundreds of thousands of attempts, that just isn't feasible to do it manually.

Many thanks if anyone can help me figure this one out. 262775-authentication-details.jpg

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,386 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harpreet Singh Matharoo 7,471 Reputation points Microsoft Employee
    2022-11-24T03:51:08.317+00:00

    Hello @Raffaele Guarna

    Thank you for reaching out. I would like to inform you that Authentication details section or parameter within Azure AD Sign-In logs is multivalued property and hence information cannot be extracted directly using Azure AD PowerShell.

    You can try using Graph PowerShell and filter the logs using UPN and App and then expand Authentication details for them. 

    Import-Module Microsoft.Graph.Reports  
Connect-MgGraph   
Select-MgProfile -Name beta  
Get-MgAuditLogSignIn -Filter "startsWith(UserPrincipalName,'Harpreet')" | Select-Object -ExpandProperty AuthenticationDetails  
Get-MgAuditLogSignIn -Filter "startsWith(UserPrincipalName,'Harpreet') and startsWith(appDisplayName,'Graph')" | Select-Object -ExpandProperty AuthenticationDetails

    Below screenshot has few examples on how you can achieve them:
    263706-image.png

    I hope this helps and answers your question as well as resolves the query on hand.

    ----------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments