PowerShell command to see last login / activity for Service Principal and/or App Registration

Question

Is there a powershell command that can be used to view the login activity for a Service Principal or App registration in Azure? Specifically, query the last login date for a service principal or app? I believe this can be done via the UI in the sign-in logs section of AAD. That being said, I would like to be able to pull this data from powershell.

Answer

Hi @Kenneth Huddleston ,

Thanks for reaching out.

Yes, it is possible to get the sign in activity details of application using PowerShell command:

Get-AzureADAuditSignInLogs -Filter "appId eq 'xxx-d9f9-48b1-a8ad-xxx'" 
Get-AzureADAuditSignInLogs -Filter "appDisplayName eq 'myApp'"

To query the last login date of application can be filter using

Get-AzureADAuditSignInLogs -Filter "appDisplayName eq 'myApp'" | Select-Object -First 1 | Format-List

To run these commands, you need to install AzureAD Preview first

Install-Module AzureADPreview

and need to connect with your Azure AD tenant using

Connect-AzureAD

Reference: https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadauditsigninlogs?view=azureadps-2.0-preview#example-2-get-sign-in-logs-for-a-user-or-application

To get the sign in details of service principal, you need to get it using Audit logs

Get-MgAuditLogSignIn -Filter "appid eq 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' and signInEventTypes/any(t:t eq 'servicePrincipal')"

Reference: https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadauditdirectorylogs?view=azureadps-2.0-preview

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Share via

PowerShell command to see last login / activity for Service Principal and/or App Registration

1 answer