Share via

Get-AzureADAuditSignInLogs - cannot find object "User Agent"

Blue Tongue 21 Reputation points
2022-04-10T13:06:44.757+00:00

Hello all,

In O365 admin center, when I went to display "Exchange Active Sync" in Azure Sign-in logs, I was able to find a useful field called "User Agent" (in Basic info tab) like below.
191570-zzzzzz.jpg

However, when I used Powershell cmdlet Get-AzureADAuditSignInLogs to dump the log out, there is no such field.
There is only a DeviceDetail field like below.

Can someone please verify for me? 

DeviceDetail                     : class SignInAuditLogObjectDeviceDetail {  
                                     DeviceId: daa00f9d-12e7-4684-a8b8-25bced93a663  
                                     DisplayName: Mick’s phone  
                                     OperatingSystem: Ios  
                                     Browser: Mobile Safari  
                                     IsCompliant: True  
                                     IsManaged: True  
                                     TrustType: Azure AD registered  
                                   }
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,871 Reputation points Moderator
    2022-04-11T06:46:52.843+00:00

    Hi @Blue Tongue • Thank you for reaching out.

    When you run the Get-AzureADAuditSignInLogs cmdlet, in the background it runs https://graph.microsoft.com/beta/auditLogs/signIns graph call and Azure AD actually returns the userAgent but it is not displayed in the output of the command. You can use the below PowerShell script to get this value:

    Prerequisites:

    1. Navigate to Azure AD > App Registration > Register new app and copy the ClientID.
    2. Generate a client secret and copy that as well.
    3. Under Api Permissions blade, add https://graph.microsoft.com/AuditLog.Read.All permission (Application Permission, not delegated) and grant admin consent. 
       $ApplicationID = "Paste client ID from step1"  
 $TenatDomainName = "YOUR_TENANT.onmicrosoft.com"  
 $AccessSecret = 'Paste client secret from step2'  

 $Body = @{  
 Grant_Type = "client_credentials"  
 Scope = "https://graph.microsoft.com/.default"  
 client_Id = $ApplicationID  
 Client_Secret = $AccessSecret  
 }  

 $ConnectGraph = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenatDomainName/oauth2/v2.0/token" `  
 -Method POST -Body $Body  

 $token = $ConnectGraph.access_token  

 $GraphUrl = "https://graph.microsoft.com/beta/auditLogs/signIns"  
 Invoke-RestMethod -Headers @{Authorization = "Bearer $($token)"} -ContentType "application/json" -Uri $GraphUrl -Method Get | select -ExpandProperty value | Where-Object {$_.UserDisplayName -eq "YOUR_USER_DISPLAY_NAME"} | fl CreatedDateTime, UserDisplayName, userAgent
      Below is how the output looks like:
      191648-image.png

    Note: This script is using Client_credentials flow that utilizes application context to fetch the logs and not the user context. You can customize the script as per your requirement. E.g., you can remove Where-Object parameter to get a list of activities for all users.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 119.7K Reputation points MVP Volunteer Moderator
    2022-04-10T14:44:46.537+00:00

    The Azure AD module is a bit outdated, best use the MS Graph SDK, or call the Graph API https://graph.microsoft.com/beta/auditLogs/signIns endpoint directly - you will see the User agent string therein.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.