Retrieve Sign-In Activity of all users

Question

Dear,

I am in need of a list of all users in my Microsoft Azure account and next to them a column with their last longondate as I want clean up old non-active users.

I already have a script for extracting users and associate groups:

Get-AzureADUser -All $true | select UserPrincipalName, @{n="Groups";e={(Get-AzureADUserMembership -ObjectId $.ObjectId -All $true | ? {$.ObjectType -eq "Group" -and $.SecurityEnabled -eq $true -and $.MailEnabled -eq $false } | select -ExpandProperty DisplayName) -join "," }} | Export-Csv 'output.csv'

But now I also need a script to find the last activity dates of these users. Do you know whether there is some command I can add to the script above to also have an additional column with the last log-on date? And if not do you have a script that I could use to extract all users and their last logon date? (I have been looking into the "Get-AzureADAuditSignInLogs" API but unfortunately I keep stumbling into syntax errors or cmlet errors).

Thank you already.

Answer 1

See:
https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts

You could just use Graph Explorer and run this command looking for users who havent logged in the last 30 days

https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z  

There is a thread that indicates this may not work so well:
https://stackoverflow.com/questions/71022301/azure-graph-filtering-on-activity-and-group-membership

Also see:
https://morgantechspace.com/2021/09/find-last-login-date-for-all-azure-ad-users-using-powershell.html#report

Answer 2

HI Quinten,
You may be limited as to how far back you can go using those commands.
My recommended approach is to log your data to a log analytics workspace and then use KQL to query your data.
You would be looking at collecting the Azure AD logs at least.
You can still use powershell to execute your kql queries if you like but now you'll have much more flexibility.
If you're concerned about storage costs you can set the data retention to as low as you like.
Good luck!

Answer 3

Hi,

I indeed found similar documentation, unfortunately for some reason they keep giving me errors and I am not seeing why.

https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2022-08-25T07:06:20Z is giving me a "parser failure"

from https://morgantechspace.com/2021/09/find-last-login-date-for-all-azure-ad-users-using-powershell.html#report, I tried to run the following code:

https://graph.microsoft.com/beta/users?$select=displayName,signInActivity

This ran did not give me expected results as for some reason I am not getting users in the CVS, and also last logondates are nog included.

Any further advice? :)

Answer 4

Hi,

I indeed found similar documentation, unfortunately for some reason they keep giving me errors and I am not seeing why.

https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2022-08-25T07:06:20Z is giving me a "parser failure"

from https://morgantechspace.com/2021/09/find-last-login-date-for-all-azure-ad-users-using-powershell.html#report, I tried to run the following code:

https://graph.microsoft.com/beta/users?$select=displayName,signInActivity

This ran did not give me expected results as for some reason I am not getting users in the CVS, and also last logondates are nog included.

Any further advice? :)