MS Graph: Can Get-MgAuditLogSignIn get non interactive signins information?

Matheus Sonego 26 Reputation points
2022-05-05T14:20:51.687+00:00

I need to track logins, when using Get-MgAuditLogSignIn I only get information about the interactive logins. When trying to filter "isInteractive" as false I get a empty report. Is there a way to get the Non Interactive signins?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,397 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,590 questions
0 comments No comments
{count} votes

Accepted answer
  1. JanardhanaVedham-MSFT 3,536 Reputation points
    2022-05-05T18:20:20.15+00:00

    Hi @Matheus Sonego ,

    Please note that Get-MgAuditLogSignIn MS Graph PowerShell SDK command uses List signIns Graph API in the background. ** Currently this List signIns API retrieves the Azure AD user sign-ins for your tenant. Sign-ins that are interactive in nature (where a username/password is passed as part of auth token) and successful federated sign-ins are currently included in the sign-in logs.** Hence this List signIns API or MS Graph PowerShell SDK command is not returning non-interactive user signins data.

    199336-image.png
    199337-image.png

    However upon my further research, there is "Sign-in logs" option available under "Monitoring" section of Azure Active Directory as you can see below and I could see both interactive and non-interactive user signin logs information. Also , we do have the options such as filters and download report in Azure AD portal. You can also review the same and see if it's useful to you.

    199374-image.png

    If the answer is helpful to you, please click "Accept Answer" and kindly upvote it. If you have additional questions about this answer, please click "Comment".

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Johnny Stenberg 15 Reputation points
    2023-01-12T17:11:50.46+00:00

    You could use the following....

    Connect-MgGraph -Scopes AuditLog.Read.All

    Select-MgProfile -Name Beta

    $Filter = "(signInEventTypes/any(t: t ne 'interactiveUser'))"

    Get-MgAuditLogSignIn -Filter $Filter -all

    2 people found this answer helpful.
    0 comments No comments

  2. mark daley 6 Reputation points
    2022-06-08T16:45:43.987+00:00

    Hi.

    Non-interactive signins are available via the Graph BETA API. They have not yet been published to Graph v1.0

    Using the Powershell Graph Module Microsoft.Graph.Users you can retrieve the non-interactive Sign-in via the signinactivity property.

    Select-MgProfile beta
    Connect-MgGraph -Scopes AuditLog.Read.All, Organization.Read.All
    Get-MgUser -UserId {objectid} -Property signinactivity | Select-Object -ExpandProperty SignInActivity

    Note: You must use the Azure ObjectID of the account not the UPN.

    1 person found this answer helpful.

  3. Matheus Sonego 26 Reputation points
    2022-05-05T19:39:48.61+00:00

    Hm, so there are no ways to download the non interactive signins from MS Graph? I previously used the Azure Active Directory, but it is limited to 100.000 registers, that gives me only the timespan of one day each time I download the report. I would have to do it too many times, since I need about 3 months of data at least.

    Thank you for your help!


  4. Andrew 36 Reputation points
    2024-02-20T14:54:28.4566667+00:00

    I've created PowerShell function Get-AzureAuditAggregatedSignInEvent hosted at https://gist.github.com/ztrhgf/96445c23b25c1682238b8b52e9218430 PS: needs module Microsoft.Graph.Intune to work

    0 comments No comments