Interactive logon Azure AD sign in

Asha 1 Reputation point
2022-06-14T11:51:25.157+00:00

Hi,

I am trying to build a usecase in Splunk using azure AD sign-in logs. Can some one please help me to identify which filed indicates the interactive/non interactive logon event in Azure AD sign-in logs.

Thank you

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 34,306 Reputation points Microsoft Employee
    2022-06-15T00:21:02.75+00:00

    Hi @Asha ,

    You can use the Graph BETA API to get both the interactive and non-interactive sign-in logs. The non-interactive sign-in logs have not yet been published to Graph v1.0.

    Using the Powershell Graph Module Microsoft.Graph.Users you can retrieve the non-interactive Sign-in via the signinactivity property.

    Select-MgProfile beta  
Connect-MgGraph -Scopes AuditLog.Read.All, Organization.Read.All  
Get-MgUser -UserId {objectid} -Property signinactivity | Select-Object -ExpandProperty SignInActivity

    You need to use the Azure ObjectID of the account and not the UPN. You can query lastNonInteractiveSignInDateTime and lastNonInteractiveSignInRequestId, as noted in the signInActivity resource type documentation.

    Otherwise you can also get this information from Sign-in logs in Azure Active Directory - preview. There, on the sign-ins page, you can switch between Interactive user sign-ins and Non-interactive user sign-ins.

    Additional resources:

    Get non-interactive sign-ins
    signInActivity resource type
    Sign-in logs in Azure Active Directory - preview

    • If the information provided was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.
    0 comments