Accessing non-interactive sign in logs using graph

DaveK 1,846 Reputation points
2023-03-23T22:04:18.01+00:00

Hi,

Pulling my hair out with this one a little as I can't seem to figure out where I'm going wrong. I'm pulling together some details for our Azure AD Registered Android devices and using that info to look up the device owner - all working just fine. I'm using client secret to get token (code not shown)

I'd like to be able to check Azure AD sign-in logs for any given user to check if they have any non-interactive sign-ins but I just can't seem to wrap my head round it. No matter than I've tried with the $filter options I always seem to get a 1000 results and its a mixture of all users.

Starting simple I'm trying to return just logs for a specific user - doesn't work

[uri]$uriSignins = "https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=(userPrincipalName eq 'username@mydomain.com')"

$resSignins = Invoke-RestMethod -Method Get -Uri $uriSignins.AbsoluteUri -Headers @{Authorization = "Bearer $($Token)"}

$resSignins.value

Trying example 2 from this MS page, https://learn.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-1.0&tabs=http, also does work - just returns 1000 results despite the filter mentioning just the top 10.

I've also tried example 3 from ms page, https://learn.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-beta&tabs=http, using beta to return non-interactive sign ins - same happens. No filtering applied and Invoke-RestMethod just give me 1000 results.

Can anyone guide me in the right direction and point our where I'm going wrong?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,293 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,322 questions
{count} votes

Accepted answer
  1. Vasil Michev 92,596 Reputation points MVP
    2023-03-24T08:08:33.3466667+00:00

    When using PowerShell, remember that you have to escape the $ character. Compare this:

    [uri]$uriSignins = 
    "https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=(userPrincipalName
     eq 'username@mydomain.com')"
    

    to this:

    [uri]$uriSignins = 
    "https://graph.microsoft.com/v1.0/auditLogs/signIns?`$filter=(userPrincipalName
     eq 'username@mydomain.com')"
    

    Same goes for any other operators, $top, $orderBy, $search, etc. If you use the Graph SDK for PowerShell, it usually takes care of this for you.


0 additional answers

Sort by: Most helpful