Difference between Get-AzureADAuditSignInLogs and Search-UnifiedAudit logs - when shuold I use exactly

Question

Difference between Get-AzureADAuditSignInLogs and Search-UnifiedAudit logs - when shuold I use exactly

Ganga Raju 0

What is the Difference between Get-AzureADAuditSignInLogs and Search-UnifiedAudit logs

Get-AzureADAuditSignInLogs: This cmdlet is specifically designed to retrieve sign-in audit logs for Azure AD users. It allows you to retrieve information about user sign-in activities, including successful and failed sign-ins, sign-in errors, and additional details such as IP addresses and user agents. It focuses on authentication events and provides insights into user sign-in behavior.

on the other hand,

Search-UnifiedAuditLog: This cmdlet is part of the Office 365 Security & Compliance Center module and is used to search and retrieve a wide range of audit log data across multiple Microsoft 365 services. It allows you to search for audit events related to various activities, including user and admin actions, mailbox activities, file activities, sharing events, and more. It provides a comprehensive view of the organization's audit logs and allows for advanced search capabilities and filtering based on specific criteria.

with that said, if I want to find inactive users in O365, how do I find them.

Do I need to search in Get-AzureADAuditSignInLogs or Search-UnifiedAudit logs -

-- I suppose I need to search in Get-AzureADAuditSignInLogs - but i am anot sure. can someone assist,

I see on internet browsing some sites shows to search in unified audit logs, but I dont understnad the logic why they are using it, - as per the description, all signs in wil be Azure AD Audit Signin logs.

Ganga Raju 0 Reputation points

2023-07-12T21:12:55.03+00:00
@Konstantinos Passadis

thanks for the suggestion. as you asked, I am looking to figure out how do I get this form O365

I can use get-mailbox stats; but that will only give mailbox login info only.

I am looking to find

Inactive accounts/users in last 90 or 60 days ( like who did not login or use O365)

List all users and thier last login date
Konstantinos Passadis 19,591 Reputation points MVP

2023-07-15T21:55:40.4133333+00:00

Hello @Ganga Raju !

Do you have any feedback or is your issue resolved?

In case any answer helped kindly mark it as Accepted and upvote so others can benefit as well!

Otherwise post your feedback to provide additional help!

Regards
Ganga Raju 0 Reputation points

2023-07-16T13:44:35.32+00:00

I am looking to find last sign in info for all users. - attached an image for example

and we may also consider Last password change date

though O365 has multiple services, a sign in is always a sign in. (it cannot be like a user logged into O365 and did not login into mail, and so login info is not updated - that does not make any sense.)
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2023-07-21T08:55:33.7533333+00:00

@Ganga Raju Thank you for your feedback on this post, Please send us an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:Givary" so that we can connect offline to discuss further on your issue.
Konstantinos Passadis 19,591 Reputation points MVP

2023-07-23T10:54:32.8033333+00:00

Hello @Ganga Raju !

Do you have any feedback or is your issue resolved?

In case any answer helped kindly mark it as Accepted and upvote so others can benefit as well!

Otherwise post your feedback to provide additional help!

Regards

2 answers

Your answer

Ganga Raju 0 Reputation points

2023-07-12T21:12:55.03+00:00

@Konstantinos Passadis

thanks for the suggestion. as you asked, I am looking to figure out how do I get this form O365

I can use get-mailbox stats; but that will only give mailbox login info only.

I am looking to find

Inactive accounts/users in last 90 or 60 days ( like who did not login or use O365)

List all users and thier last login date
Konstantinos Passadis 19,591 Reputation points MVP

2023-07-15T21:55:40.4133333+00:00

Hello @Ganga Raju !

Do you have any feedback or is your issue resolved?

In case any answer helped kindly mark it as Accepted and upvote so others can benefit as well!

Otherwise post your feedback to provide additional help!

Regards
Ganga Raju 0 Reputation points

2023-07-16T13:44:35.32+00:00

I am looking to find last sign in info for all users. - attached an image for example

and we may also consider Last password change date

though O365 has multiple services, a sign in is always a sign in. (it cannot be like a user logged into O365 and did not login into mail, and so login info is not updated - that does not make any sense.)
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2023-07-21T08:55:33.7533333+00:00

@Ganga Raju Thank you for your feedback on this post, Please send us an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:Givary" so that we can connect offline to discuss further on your issue.
Konstantinos Passadis 19,591 Reputation points MVP

2023-07-23T10:54:32.8033333+00:00

Hello @Ganga Raju !

Do you have any feedback or is your issue resolved?

In case any answer helped kindly mark it as Accepted and upvote so others can benefit as well!

Otherwise post your feedback to provide additional help!

Regards

Answer 1

Konstantinos Passadis 19,591 MVP

Hello @Ganga Raju !

Welcome to Microsofr QnA!

I suggest you have a look here

https://www.sharepointdiary.com/2023/01/find-inactive-users-in-office-365.html

The link provides all the details in question

The Azure AD is the Identity Provider , it may cover more than just O365

On the other hand Office 365 is the SaaS Platform for Email , One Drive etc.

It always depends what do you define as inactivity !

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Konstantinos Passadis 19,591 Reputation points MVP

2023-07-12T21:38:42.65+00:00

Hello @Ganga Raju !

Ok i got it

Here is the most common MS GRAPH

Be aware There is a limit at 30 Days of Azure AD SIgn In Logs

Please adjust the script

It is taken from here

https://techcommunity.microsoft.com/t5/microsoft-365/get-list-of-inactive-users-with-licenses-assigned-in-microsoft/m-p/2808185

The function of this script is to return all users that have licences and have been inactive in AzureAD sigin logs for x amount of days.

For customers who have Azure AD Premium P2 subscriptions, the sign-in logs are retained for 30 days.

By default, Azure AD retains sign-in logs for 30 days, but the retention period can be increased up to two years by using Azure Monitor and Storage accounts

Install the required PowerShell modules

Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser
Install-Module -Name Microsoft.Graph.Users -Scope CurrentUser
Install-Module -Name Microsoft.Graph.Reports -Scope CurrentUser

Import the required modules

Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Users
Import-Module Microsoft.Graph.Reports

Connect to Microsoft Graph using delegated permissions

Connect-MgGraph -Scopes "User.Read.All, AuditLog.Read.All"

Download the CSV file containing the product name and SkuPartNumber mappings ( ADJUST THE URL TO FIT )

Invoke-WebRequest -Uri "https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%2..." -OutFile "c:\temp\product_names.csv"

Import the CSV file into a variable and create a dictionary using the SkuPartNumber as key and Product_Display_Name as value

$productNames = Import-Csv "c:\temp\product_names.csv"
$skuDict = @{}
foreach($product in $productNames)
{
$skuDict[$product.GUID] = $product.Product_Display_Name
}

Set the number of days of inactivity to consider

$DaysInactive = 30
$InactiveDate = (Get-Date).AddDays(-$DaysInactive)

Retrieve all users using the Microsoft Graph API

$AllUsers = Get-MgUser -All -Property Id, DisplayName, UserPrincipalName, AccountEnabled

Initialize an empty array to store inactive users

$InactiveUsers = @()

Iterate through each user and check for inactivity in Azure AD sign-in logs

foreach ($User in $AllUsers) {
$LicenseDetail = Get-MgUserLicenseDetail -UserId $User.Id
if ($LicenseDetail -ne $null) {
$License = ($LicenseDetail | ForEach-Object { $skuDict[$_.SkuId] }) -join ", "

Write-Output "Checking $($User.userPrincipalName) with License: $License"

Write-Output "Getting sign-in logs for $($User.displayName)"
$AllSignInLogs = Get-MgAuditLogSignIn -Filter "userDisplayName eq '$($User.displayName)'"
#Write-Output "All sign-in logs:"
#Write-Output $AllSignInLogs

$SignIn = $AllSignInLogs | Sort-Object -Property createdDateTime -Descending | Select-Object -First 1
Write-Output "Most recent sign-in log entry:"
Write-Output $SignIn.createdDateTime

if ($SignIn -eq $null -or $SignIn.createdDateTime -lt $InactiveDate) {
$InactiveUsers += [PSCustomObject]@{
DisplayName = $User.displayName
UserPrincipalName = $User.userPrincipalName
LastSignin = $Signin
Enabled = $User.accountEnabled
License = $License
}
write-output 'InactiveUser! '$User.displayName $License
}
}
}

$InactiveUsers | Export-Csv -Path "c:\temp\InactiveUsers.csv" -NoTypeInformation

Disconnect-MgGraph

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards
Konstantinos Passadis 19,591 Reputation points MVP

2023-07-12T21:43:39.5466667+00:00
Hello @Ganga Raju !

here is the Second part you need "Last Login " via Graph REST API

LINK https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-beta&tabs=http#example-5-list-the-last-sign-in-time-of-users-in-a-specific-time-range

Example 5: List the last sign-in time of users in a specific time range

Request

The following is an example of the request. Details for the signInActivity property require an Azure AD Premium P1/P2 license and the AuditLog.Read.All permission.

HTTP

GET https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2021-07-21T00:00:00Z

Response

The following is an example of the response.

*Note: The response object shown here might be shortened for readability.*

HTTP

HTTP/1.1 200 OK

Content-type: application/json

{

"@odata.context": "https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2021-07-21T00:00:00Z",

"value": [

*{* *"displayName": "Adele Vance",* *"userPrincipalName": "******@contoso.com",* *"signInActivity": {* *"lastSignInDateTime": "2021-06-17T16:41:33Z",* *"lastSignInRequestId": "d4d31c40-4c36-4775-ad59-7d1e6a171f00",* *"lastNonInteractiveSignInDateTime": "0001-01-01T00:00:00Z",* *"lastNonInteractiveSignInRequestId": ""* *}* *},* *{* *"displayName": "Alex Wilber",* *"userPrincipalName": "******@contoso.com",* *"signInActivity": {* *"lastSignInDateTime": "2021-07-29T15:53:27Z",* *"lastSignInRequestId": "f3149ee1-e347-4181-b45b-99a1f82b1c00",* *"lastNonInteractiveSignInDateTime": "2021-07-29T17:53:42Z",* *"lastNonInteractiveSignInRequestId": "868efa6a-b2e9-40e9-9b1c-0aaea5b50200"* *}* *}*

]

}

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards
Konstantinos Passadis 19,591 Reputation points MVP

2023-07-16T17:12:12.16+00:00
Hello @Ganga Raju !!

here is the Second part you need "Last Login " via Graph REST API

LINK https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-beta&tabs=http#example-5-list-the-last-sign-in-time-of-users-in-a-specific-time-range

Example 5: List the last sign-in time of users in a specific time range

Request

The following is an example of the request. Details for the signInActivity property require an Azure AD Premium P1/P2 license and the AuditLog.Read.All permission.

HTTP

GET https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2021-07-21T00:00:00Z

Response

The following is an example of the response.

Copy

Note: The response object shown here might be shortened for readability.

HTTP

HTTP/1.1 200 OK

Content-type: application/json

{

"@odata.context": "https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2021-07-21T00:00:00Z",

"value": [

Copy

{

"displayName": "Adele Vance",

"userPrincipalName": "*****@contoso.com",*

"signInActivity": {

*"lastSignInDateTime": "2021-06-17T16:41:33Z",* *"lastSignInRequestId": "d4d31c40-4c36-4775-ad59-7d1e6a171f00",* *"lastNonInteractiveSignInDateTime": "0001-01-01T00:00:00Z",* *"lastNonInteractiveSignInRequestId": ""*

}

},

{

"displayName": "Alex Wilber",

"userPrincipalName": "*****@contoso.com",*

"signInActivity": {

*"lastSignInDateTime": "2021-07-29T15:53:27Z",* *"lastSignInRequestId": "f3149ee1-e347-4181-b45b-99a1f82b1c00",* *"lastNonInteractiveSignInDateTime": "2021-07-29T17:53:42Z",* *"lastNonInteractiveSignInRequestId": "868efa6a-b2e9-40e9-9b1c-0aaea5b50200"*

}

}

]

}

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Answer 2

@Ganga Raju Thank you for reaching out to us, reviewed your requirement related to find inactive users within Azure AD/O365, wanted to check if you can try this approach https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts – Provides the last interactive and non-interactive sign-in time for a specific user. Make sure to check out how to manage inactive user accounts in Azure AD - https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts

Let me know if you have any further questions, feel free to post back.

Share via

Difference between Get-AzureADAuditSignInLogs and Search-UnifiedAudit logs - when shuold I use exactly

2 answers

Your answer