Export Authentication Details from Azure Sign In Logs Via Powershell

Raffaele Guarna 1 Reputation point

Hello, I am trying to export specific information from Azure AD PowerShell. I want to find all failed sign ins where the Authentication Method is Password and has a succeeded attribute of "true". Finding failed sign ins is no problem using this command:

Get-AzureADAuditSignInLogs -Filter "status/errorCode ne 0"

But I can't seem to find a way to filter on Authentication Method and Succeeded. The reason I want to do this is that our tenant has fairly high security (MFA, Conditional Access restricted by specific devices), yet we often get a large number of attempts to brute force accounts. If I can filter on all the failed sign in attempts with password succeeded true attribute, it would tell us if any of our staff has had their credentials compromised.

It seems like a relatively logical thing to ask for, but I can't seem to find any way to do it in the GUI or via Powershell. I have to drill down into every single failed sign in attempt to view those attributes, and with hundreds of thousands of attempts, that just isn't feasible to do it manually.

Many thanks if anyone can help me figure this one out. 262775-authentication-details.jpg

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,757 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Harpreet Singh Matharoo 3,671 Reputation points Microsoft Employee

    Hello @Raffaele Guarna

    Thank you for reaching out. I would like to inform you that Authentication details section or parameter within Azure AD Sign-In logs is multivalued property and hence information cannot be extracted directly using Azure AD PowerShell.

    You can try using Graph PowerShell and filter the logs using UPN and App and then expand Authentication details for them.

    Import-Module Microsoft.Graph.Reports  
    Select-MgProfile -Name beta  
    Get-MgAuditLogSignIn -Filter "startsWith(UserPrincipalName,'Harpreet')" | Select-Object -ExpandProperty AuthenticationDetails  
    Get-MgAuditLogSignIn -Filter "startsWith(UserPrincipalName,'Harpreet') and startsWith(appDisplayName,'Graph')" | Select-Object -ExpandProperty AuthenticationDetails  

    Below screenshot has few examples on how you can achieve them:

    I hope this helps and answers your question as well as resolves the query on hand.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments