Interactive logon Azure AD sign in

Asha 1 Reputation point
2022-06-14T11:51:25.157+00:00

Hi,

I am trying to build a usecase in Splunk using azure AD sign-in logs. Can some one please help me to identify which filed indicates the interactive/non interactive logon event in Azure AD sign-in logs.

Thank you

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,762 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 20,671 Reputation points Microsoft Employee
    2022-06-15T00:21:02.75+00:00

    Hi @Asha ,

    You can use the Graph BETA API to get both the interactive and non-interactive sign-in logs. The non-interactive sign-in logs have not yet been published to Graph v1.0.

    Using the Powershell Graph Module Microsoft.Graph.Users you can retrieve the non-interactive Sign-in via the signinactivity property.

    Select-MgProfile beta  
    Connect-MgGraph -Scopes AuditLog.Read.All, Organization.Read.All  
    Get-MgUser -UserId {objectid} -Property signinactivity | Select-Object -ExpandProperty SignInActivity  
    

    You need to use the Azure ObjectID of the account and not the UPN. You can query lastNonInteractiveSignInDateTime and lastNonInteractiveSignInRequestId, as noted in the signInActivity resource type documentation.

    Otherwise you can also get this information from Sign-in logs in Azure Active Directory - preview. There, on the sign-ins page, you can switch between Interactive user sign-ins and Non-interactive user sign-ins.

    Additional resources:

    Get non-interactive sign-ins
    signInActivity resource type
    Sign-in logs in Azure Active Directory - preview

    • If the information provided was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.
    No comments