Share via

Entra ID showing different sign in results to graph query - what's going on?

TechUser2020-6505 256 Reputation points
2024-07-19T11:12:39.9733333+00:00

Hi,

I'm trying to write a script to delete obsolete Entra ID guest accounts. I'm seeing different results between the Entra ID portal and get-mguser PowerShell cmdlet.

As an example, the below query returns a null value for last sign in date:

$guest=get-mguser -userid (get-mguser -UserId julie.summersXXX#EXT#contoso.onmicrosoft.com).id -Property createdDatetime,signinactivity,userprincipalname

PS C:> $guest.SignInActivity.LastSignInDateTime

PS C:>

But then if I check the Entra ID portal for this user under the Sign-in logs for the same user I see that the user has logged in on the 16th July (see attached image)

The script has permissions to read sign-in data as it does return sign-in dates for other users (just not reliably, as I've seen instances where this is reversed so that the script shows a recent sign-in date within the last 30 days, but the portal doesn't)

There's a discrepancy between what the Entra ID portal shows and what the graph API returns. This causes a problem as I'm not sure what the true value is, in addition, it makes searching for deleting obsolete\stale accounts very difficult.

How can I reliably get the last sign-in date via a script?

Thanks,

Entra ID screenshot - user.JPG

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,223 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Navya 15,465 Reputation points Microsoft Vendor
    2024-07-23T05:15:19.74+00:00

    Hi @TechUser2020-6505

    Thank you for posting this in Microsoft Q&A.

    I understand you're attempting to retrieve the LastSignInDateTime for guest users using a PowerShell script, but it returns a null value even though the sign-in logs indicate the user has logged in recently.

    You can use the following PowerShell script:

    $guests = Get-AzureADUser -Filter "userType eq 'Guest'" -All $true

foreach ($guest in $guests) {
$Userlogs = Get-AzureADAuditSignInLogs -Filter "userprincipalname eq `'$($guest.mail)'" -ALL:$true

if ($Userlogs -is [array]) {
$timestamp = $Userlogs[0].createddatetime
}
else {
$timestamp = $Userlogs.createddatetime
}

$Info = [PSCustomObject]@{
Name = $guest.DisplayName
UserType = $guest.UserType
LastSignin = $timestamp
}
$Info | Export-csv C:\GuestUserLastSignins.csv -NoTypeInformation -Append
Remove-Variable Info
}

Write-Host -ForegroundColor Green "Exported Logs successfully"

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.