question

DominicBurns-5571 avatar image
0 Votes"
DominicBurns-5571 asked DominicBurns-5571 commented

Get-AzureADAuditSignInLogs inconsistent entries

Hi,

I have been using Get-AzureADAuditSignInLogs to retrieve signin log entries and have found that executing the same command multiple times produces varying sets of entries.

e.g.
Get-AzureADAuditSignInLogs -All:$true -Filter "createdDateTime gt 2022-04-11 and createdDateTime lt 2022-04-12"
=> 124,589
Get-AzureADAuditSignInLogs -All:$true -Filter "createdDateTime gt 2022-04-11 and createdDateTime lt 2022-04-12"
=> 124,600

There are entries missing/added between the results, not just additional records.

These dates are in the middle of the 30 day window so shouldn't be impacted by recent additions or recent removals.

AzureADPreview version 2.0.2.149

Any insight is appreciated!

Dominic

windows-server-powershellazure-ad-app-development
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DominicBurns-5571 I tried this and in my test tenant and the count of entries was the same. But I have very less number of entries. In your case it seem to be adding 12 new entries when you run it the second time.

 PS C:\> (Get-AzureADAuditSignInLogs -All:$true -Filter "createdDateTime gt 2022-05-01 and createdDateTime lt 2022-05-12").count
 15
    
 PS C:\> (Get-AzureADAuditSignInLogs -All:$true -Filter "createdDateTime gt 2022-05-01 and createdDateTime lt 2022-05-12").count
 15
    
 PS C:\> (Get-AzureADAuditSignInLogs -All:$true -Filter "createdDateTime gt 2022-05-01 and createdDateTime lt 2022-05-12").count
 15
    
 PS C:\> (Get-AzureADAuditSignInLogs -All:$true -Filter "createdDateTime gt 2022-05-01 and createdDateTime lt 2022-05-12").count
 15
    
 PS C:\> (Get-AzureADAuditSignInLogs -All:$true -Filter "createdDateTime gt 2022-05-01 and createdDateTime lt 2022-05-12").count
 15

When you say "There are entries missing/added between the results, not just additional records." Are you saying that some entries were lost and new ones added when you ran the same command again?

0 Votes 0 ·

Hi @shashishailaj,

Yes that is correct. That was my experience. Some entries were lost and new ones added. If I ran the command multiple times the result set would be slightly different each time. Sometimes an entry would appear and other times it would be missing.

Thanks,

Dominic

0 Votes 0 ·

0 Answers