Home > database >  Powershell - Get-AzureADAuditSignInLogs multiple filters
Powershell - Get-AzureADAuditSignInLogs multiple filters

Time:07-16

I'm trying to Get last signin date for Global Admins

$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Global Administrator'}
$admins = @(Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | select DisplayName, UserPrincipalName)

Foreach ($admin in $admins){
     $upn = $admin.UserPrincipalName

  
      $signons = Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq '$upn' " -Top 1 | select UserDisplayName, @{Name = 'LastSignIn'; Expression = {$_.CreatedDateTime}}
        }

And above code works as expected for users who have entry in AuditSignInLogs, but i want to return users who never logged in too, so modified above filter (all users in for loop)

$signons = Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq '$upn' or CreatedDateTime eq '$null'" -Top 1 | select UserDisplayName, @{Name = 'LastSignIn'; Expression = {$_.CreatedDateTime}}

But getting error "Message: Invalid filter clause"

also tried or CreatedDateTime eq '' but same error

CodePudding user response:

Please check below powershell commands.

I have initially checked the same for users . enter image description here

Then checked the same for admin role i.e;admins and could get the lastlogon for all the admins including who has no recored yet in signins.

$AllSiginLogs = Get-AzureADAuditSignInLogs -All $true
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Global Administrator'}
$admins = @(Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | select DisplayName, UserPrincipalName)

$results = @()
Foreach ($admin in $admins){

    $LoginRecord = $AllSiginLogs | Where-Object{ $_.UserId -eq $admin.ObjectId  } | Sort-Object CreatedDateTime -Descending
    if($LoginRecord.Count -gt 0){
        $lastLogin = $LoginRecord[0].CreatedDateTime
    }else{
        $lastLogin = 'no login record'
    }
    $item = @{
        userUPN=$admin.UserPrincipalName
        userDisplayName = $admin.DisplayName
        lastLogin = $lastLogin
        accountEnabled = $admin.AccountEnabled
    }
    $results  = New-Object PSObject -Property $item  

    Write-Output $results
    
}
#$results | export-csv -Path d:\result.csv -NoTypeInformation

Result: enter image description here

Reference: userlastlogon-export

CodePudding user response:

thanks @kavyasaraboju-MT

Your hint helped me a lot, based on it, i modified my code which gets what i want

$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Global Administrator'}
$admins = @(Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | select DisplayName, UserPrincipalName)

$results = @()
Foreach ($admin in $admins){
     $upn = $admin.UserPrincipalName


      $LoginRecord = Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq '$upn'" -Top 1
      Start-Sleep -Seconds 2
      if($LoginRecord.Count -gt 0){
          $lastLogin = $LoginRecord.CreatedDateTime
          }
          else{
          $lastLogin = 'no login record'
         }
        $item = @{
            userUPN=$admin.UserPrincipalName
            userDisplayName = $admin.DisplayName
            lastLogin = $lastLogin
           
         }

       
       $results  = New-Object PSObject -Property $item
      
  }

$results | export-csv -Path c:\result.csv -NoTypeInformation -Encoding UTF8

Page link:https//www.codepudding.com/database/476789.html

Prev:.net core 3.1 MVC Partial View not showing inside main view
Next:JMeter - OutSystems - Login Once Controller
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding