Share via

Global reader vs Global admin

Fuzie, Brett 0 Reputation points
2023-11-17T17:25:57.38+00:00

Hello,

I am attempting to assist a user in our organization that needs to be able to see the last sign in time for users in the org. This is shown nicely on the allusers blade by adding the column “last sign in time” to the blade view. However, this selection under edit column on the allusers blade only shows for global admins and not global readers which is this users assigned permission. Is there a way around this besides a Powershell script to pull the data and give to them? Is it possible to add this selection to the blade for global readers using a custom permission?

Thankyou

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
968 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Adam Zachary 2,936 Reputation points
    2023-11-17T18:52:34.7+00:00

    Hi Fuzie,
    In Microsoft Entra Identity, users with Global Reader permissions do not have access to view the "last sign in time" for users directly in the All Users blade. This information is typically visible only to roles with more access, like Global Administrators.

    While Entra's Usage and Insights reports and Microsoft Graph can provide some sign-in data, they may not present it in the exact format seen in the All Users blade for Global Administrators.

    However, if you want to be able to view these information, there are roles other than Global Administrator that typically have the ability to view detailed sign-in data, such as "last sign in time," include:

    Security Administrator: This role has extensive permissions to manage security-related features, including sign-in logs and reports.

    Reports Reader: Specifically designed to view various reports within the environment, including sign-in and usage reports.

    These roles have more access to detailed sign-in information compared to Global Readers, while not providing the full range of permissions granted to a Global Administrator. Assigning one of these roles would allow a user to view the last sign-in times for users within the organization.

  2. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2023-11-21T04:18:07.83+00:00

    Hello @Fuzie, Brett , to be able to view the Last sign-in time in the Azure or Entra Portal All Users view without less privileged roles such as the Global Reader and Report Reader seems to be not supported. I'm reaching the product team regarding any future support plans and will come back ASAP.

    11/24 Update: work has begun to allow Global Reader to select and view the Last sign-in time column.

    In the meantime you might try the following PowerShell script:

    param(
    [Guid]
    $TenantId
)

# Connect to Microsoft Graph
Connect-MgGraph -TenantId $TenantId -Scopes "User.Read.All", "AuditLog.Read.All"

# Get the Entra ID users and their sign-in activity
$entraIdUsers = Get-MgUser -Property Id, DisplayName, UserPrincipalName, SignInActivity

# Create an array to store the user data
$userData = @()

# Loop through the users and get the required data
foreach ($user in $entraIdUsers) {
    $userData += [PSCustomObject]@{
        Id          = $user.Id
        DisplayName = $user.DisplayName
        UPN         = $user.UserPrincipalName
        LastSignIn  = $user.SignInActivity.LastSignInDateTime
    }
}

# Export the user data to a CSV file
$userData | Export-Csv -Path "EntraIdUsers.csv" -NoTypeInformation

# Logoff
Disconnect-MgGraph

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.