Retrieve Sign-In Activity of all users

QuintenV 21 Reputation points
2022-08-24T15:21:24.547+00:00

Dear,

I am in need of a list of all users in my Microsoft Azure account and next to them a column with their last longondate as I want clean up old non-active users.

I already have a script for extracting users and associate groups:

Get-AzureADUser -All $true | select UserPrincipalName, @{n="Groups";e={(Get-AzureADUserMembership -ObjectId $.ObjectId -All $true | ? {$.ObjectType -eq "Group" -and $.SecurityEnabled -eq $true -and $.MailEnabled -eq $false } | select -ExpandProperty DisplayName) -join "," }} | Export-Csv 'output.csv'

But now I also need a script to find the last activity dates of these users. Do you know whether there is some command I can add to the script above to also have an additional column with the last log-on date? And if not do you have a script that I could use to extract all users and their last logon date? (I have been looking into the "Get-AzureADAuditSignInLogs" API but unfortunately I keep stumbling into syntax errors or cmlet errors).

Thank you already.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,359 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Andy David - MVP 140.8K Reputation points MVP
    2022-08-24T16:19:25.887+00:00

    See:
    https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts

    You could just use Graph Explorer and run this command looking for users who havent logged in the last 30 days

    https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z  
    

    There is a thread that indicates this may not work so well:
    https://stackoverflow.com/questions/71022301/azure-graph-filtering-on-activity-and-group-membership

    Also see:
    https://morgantechspace.com/2021/09/find-last-login-date-for-all-azure-ad-users-using-powershell.html#report

    1 person found this answer helpful.
    0 comments No comments

  2. David Broggy 5,681 Reputation points MVP
    2022-08-24T16:27:32.44+00:00

    HI Quinten,
    You may be limited as to how far back you can go using those commands.
    My recommended approach is to log your data to a log analytics workspace and then use KQL to query your data.
    You would be looking at collecting the Azure AD logs at least.
    You can still use powershell to execute your kql queries if you like but now you'll have much more flexibility.
    If you're concerned about storage costs you can set the data retention to as low as you like.
    Good luck!

    0 comments No comments

  3. QuintenV 21 Reputation points
    2022-08-25T07:13:04.607+00:00

    Hi,

    I indeed found similar documentation, unfortunately for some reason they keep giving me errors and I am not seeing why.

    https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2022-08-25T07:06:20Z is giving me a "parser failure"

    from https://morgantechspace.com/2021/09/find-last-login-date-for-all-azure-ad-users-using-powershell.html#report, I tried to run the following code:

    https://graph.microsoft.com/beta/users?$select=displayName,signInActivity

    This ran did not give me expected results as for some reason I am not getting users in the CVS, and also last logondates are nog included.

    Any further advice? :)

    0 comments No comments

  4. QuintenV 21 Reputation points
    2022-08-25T07:34:55.187+00:00

    Hi,

    I indeed found similar documentation, unfortunately for some reason they keep giving me errors and I am not seeing why.

    https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2022-08-25T07:06:20Z is giving me a "parser failure"

    from https://morgantechspace.com/2021/09/find-last-login-date-for-all-azure-ad-users-using-powershell.html#report, I tried to run the following code:

    https://graph.microsoft.com/beta/users?$select=displayName,signInActivity

    This ran did not give me expected results as for some reason I am not getting users in the CVS, and also last logondates are nog included.

    Any further advice? :)

    0 comments No comments