File Download Error - Non-interactive sign-in logs

Anonymous
2023-09-27T13:54:37.6+00:00

when trying to download non-interactive sign-in logs, getting this error: "Given data uri is not formatted correctly with data uri syntax" . I'm on this page, then click Download, then CSV - https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns/menuId/

Microsoft Security | Microsoft Entra | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator
    2023-09-28T09:00:38.28+00:00

    Hi @Anonymous Thank you for reaching out to us, As I understand you have encourtered this error "Given data uri is not formatted correctly with data uri syntax" while downloading the non-interactive sign-in logs from the Azure AD/Entra Portal.

    I have seen this error in the past, it could be issue with throttling (too many requests at a given time/downloading data with larger intervals), causing this issue.

    You could consider using Azure Graph API to download it with idle time period. And, you could also try downloading the data in smaller chunks. For example instead of downloading all 30 days worth of data, try downloading it in 7 day chunks or 1 day chunks etc.

    There is also script available as well for the same, which you can consider - https://github.com/jasonfritts/AADReportingAPI/blob/master/MSGraphSignDownloadWithClientApp.ps1

    https://github.com/jasonfritts/AADReportingAPI

    The above script will require a registered application with AAD reporting permission. The application and tenant data need to be updated manually.
    The main reason to use script to download the log because it will help to handle retry logical to avoid the throttling limit error.

    If the your side data size is extremely large, please replace line 117 to 121 like below (increase sleep time automatically)

    #{
                # throttled request, wait for a few seconds and retry
                #Start-Sleep -s 5
            #}
            {
                 [int] $delay = [int](($_.Exception.Response.Headers | Where-Object Key -eq 'Retry-After').Value[0])
                 Write-Verbose -Message "Retry Caught, delaying $delay s"
                 Start-Sleep -s $delay
             } 
    

    Other options you can consider:

    1. Configure Azure AD audit\sign in logs to stream to Azure Monitor  or stream to Azure Storage account  and download logs from one of these services where throttling is not an issue.
    2. Decrease the amount of log data being downloaded from the portal by changing the time range filters to smaller increments of time.

    Our team is aware of this issue, working on a fix internally, dont have specific ETA however you can consider the above options to download the logs.

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.