Get Username by IP Address

Question

Get Username by IP Address

Handian Sudianto 6,101

Hello,

Can we get Microsoft Entra ID by providing the ip address using powershell? I have Network Monitoring System to see the conversation traffic, but unfortunately the NMS only showing the ip address as the source and i want to know this ip is belong to which Entra ID.

Olaf Helper 47,441 Reputation points

2024-08-01T05:25:11.6833333+00:00

And in a multi-user enviroment like Citrix or RDS; all user have the same IP address?

1 answer

Your answer

Olaf Helper 47,441 Reputation points

2024-08-01T05:25:11.6833333+00:00

And in a multi-user enviroment like Citrix or RDS; all user have the same IP address?

Answer 1

Raja Pothuraju 23,710 Microsoft External Staff Moderator

Hello @Handian Sudianto,

Thank you for posting your query on Microsoft Q&A.

To identify which Microsoft Entra ID user is associated with a specific IP address within your tenant, you can query the Microsoft Entra sign-in logs using PowerShell. These logs contain information about user sign-ins, including the IP address from which the sign-in originated.

Here is a step-by-step guide to achieve this:

Install the Microsoft Graph PowerShell SDK Module: If you haven't already installed the Microsoft Graph PowerShell SDK module, you can do so using the following command: Install-Module Microsoft.Graph.Beta
Connect to Microsoft Graph: You need to authenticate and connect to your Microsoft Entra tenant. Connect-MgGraph -scopes AuditLog.Read.All
Query the Sign-In Logs: Use the Get-MgBetaAuditLogSignIn cmdlet to query the sign-in logs for the specific IP address.

Here is an example PowerShell script to get the sign-in logs for a specific IP address:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

# Install the Microsoft Graph module if not already installed
Install-Module Microsoft.Graph.Beta

Import-Module Microsoft.Graph.Beta.Reports

# Connect to Microsoft Graph
Connect-MgGraph -scopes AuditLog.Read.All

# Define the IP address you are looking for
Get-MgBetaAuditLogSignIn -Filter "(createdDateTime ge 2024-07-25T04:33:42.604Z and createdDateTime lt 2024-08-01T04:33:42.604Z and contains(tolower(ipAddress), '20.81.101.134'))" -Top 50 -Sort "createdDateTime desc" | Where-Object {$_.IpAddress -eq "192.168.1.100"} | Select-Object UserId, UserDisplayName, IpAddress

This script will output the UserId, UserDisplayName, IpAddress for each sign-in event from the specified IP address.

Additional Steps

If you need more detailed information or need to filter the results further, you can adjust the Select-Object cmdlet to include additional properties from the sign-in logs. Here are some additional properties you might find useful:

userPrincipalName

ipAddress

createdDateTime

appDisplayName

status

location

clientAppUsed

For example, to include the status and location of the sign-in, you can modify the Select-Object line as follows:

Select-Object userPrincipalName, ipAddress, createdDateTime, appDisplayName, status, location

Note

Ensure you have the necessary permissions to access Azure AD sign-in logs.
The Get-MgBetaAuditLogSignIn cmdlet may return a large number of results if the IP address is used frequently. You can use additional filters to narrow down the results if needed.

By following these steps, you should be able to identify which Microsoft Entra ID user is associated with the specified IP address.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Thanks,
Raja Pothuraju.

Handian Sudianto 6,101 Reputation points

2024-08-01T05:45:59.4533333+00:00

Hi

What i mean if search by our internal ip address, not by public ip address.
Raja Pothuraju 23,710 Reputation points Microsoft External Staff Moderator

2024-08-01T11:43:39.6733333+00:00

Hi @Handian Sudianto,

I see you mentioned that you're looking to get a username by IP address in Entra ID. If that is indeed your request, you can use Entra ID (formerly Azure Active Directory) to track user activities. If a user performs any activity or signs in to an Entra application from a specific IP address, you can view these logs in the Microsoft Entra Sign-in logs and Microsoft Entra Audit logs. To find logs associated with a specific IP address, you can use the IP address filter.

If this is not what you’re looking for, please let me know. To better understand your request, we can connect offline. Please send us an email on azcommunity@microsoft.com referencing this issue with a subject line "ATTN:pothurajur" include a link to the current thread.

Thanks,
Raja Pothuraju.
Raja Pothuraju 23,710 Reputation points Microsoft External Staff Moderator

2024-08-05T06:42:57.6533333+00:00

Hello @Handian Sudianto,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Handian Sudianto 6,101 Reputation points

2024-08-05T06:48:11.07+00:00

Hi @Raja Pothuraju

Sorry for my late respond. Actually sign-in log in the Entra ID showing client Public IP and not the Private IP.

Example my office network is 10.7.0.0/16 then if the clint used company network so the client will get ip 10.7.7.77 for example, but Entra ID will recognize the source IP from company public IP (let say 202.11.xx.xx).

What i want is query/knowing user id if we only know the private IP (10.7.7.77 belong to which Entra ID)
Raja Pothuraju 23,710 Reputation points Microsoft External Staff Moderator

2024-08-06T06:28:36.1966667+00:00

Hello @Handian Sudianto,

Thank you for your response.

I understand that you can only view Entra ID logs with the public IP address of the client/end user, rather than the private IP address. This is a common situation, especially when the client is behind NAT (Network Address Translation) or a firewall. Entra ID does not store the private IP address of the client, so you cannot directly query the user ID based on the private IP address. In Entra ID, you can only filter users based on the public IP address.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know. Thanks,
Raja Pothuraju.
Raja Pothuraju 23,710 Reputation points Microsoft External Staff Moderator

2024-08-08T02:17:25.66+00:00

Hello @Handian Sudianto,

Following up to see if the above information was helpful. And, if you have any further query do let us know.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Raja Pothuraju 23,710 Reputation points Microsoft External Staff Moderator

2024-08-08T21:17:38.4933333+00:00

Hello @Handian Sudianto,

Following up to see if the above information was helpful. And, if you have any further query do let us know.

Share via

Get Username by IP Address

1 answer

Your answer