PowerShell command to see last login / activity for Service Principal and/or App Registration

Kenneth Huddleston 145 Reputation points
2023-03-01T19:02:05.3333333+00:00

Is there a powershell method to view the last login for an Azure Service Principal or App registration? I know this can be done via the UI, just looking to pull it via powershell for reporting purposes.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,180 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 98,516 Reputation points MVP
    2023-03-01T20:13:32.74+00:00

    You will have to crawl the Audit logs for that, as SP objects do not expose the signInActivity property directly. Here's an example:

    Get-MgAuditLogSignIn -Filter "appid eq 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' and signInEventTypes/any(t:t eq 'servicePrincipal')" -Top 10 | select *

    where I'm filtering based on specific appID/client_ID value.

    0 comments No comments