M365Corner
M365 PowerShell

Get-MgAuditLogSignIn: How to Monitor Sign-In Activities in Microsoft 365

This guide explains how to use Get-MgAuditLogSignIn in Graph PowerShell to retrieve sign-in logs from Azure AD. Learn how to query logs for specific users, filter by sign-in status, and export data for auditing purposes.

The Get-MgAuditLogSignIn cmdlet retrieves sign-in activities in the Microsoft 365 environment. This is useful for monitoring and auditing user sign-ins, which helps in maintaining security and compliance.


Prerequisites

  • You should install Microsoft Graph PowerShell module by running Install-Module Microsoft.Graph -Scope CurrentUser command.
  • You should connect to Microsoft Graph PowerShell module by running Connect-MgGraph -Scopes "AuditLog.Read.All".
  • To execute Find-GraphMgPermission cmdlet, you need 'AuditLog.Read.All, Directory.Read.All, Directory.ReadWrite.All' Graph API permissions. These permissions could be either delegated or application level permission.
    • Note: In most cases, AuditLog.Read.All is sufficient for retrieving sign-in activities. However, depending on your specific scenario or if the cmdlet's behavior depends on directory data, additional permissions like Directory.Read.All might be required

Basic Syntax

Here’s the basic syntax of the Get-MgAuditLogSignIn: Get-MgAuditLogSignIn [-Top <Int32> ] [-Filter < String > ] [-Select <String > ] [-ExpandProperty <String > ] [-ConsistencyLevel < ConsistencyLevel > ] [<CommonParameters > ]

Key Parameters:

  • -Top <Int32> Specifies the maximum number of records to retrieve. Useful for limiting the output to a manageable size, especially when dealing with large data sets.
  • -Filter <String>: Applies an OData query to filter the results based on specific criteria. Allows you to narrow down the results to specific sign-in activities, such as those for a particular user or within a certain date range.
  • -Select <String>: Specifies a comma-separated list of properties to include in the response. Helps in focusing on specific properties of the sign-in activities, making the output more readable and relevant to your needs.
  • <Common Parameters>: The Get-MgAuditLogSignIn cmdlet supports common parameters that are available in many PowerShell cmdlets. These include -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable.


Retrieve Top 10 Sign-In Activities

This command retrieves the top 10 most recent sign-in activities.




Retrive Sign-In Activity Based On Specific ID

Since every user sign-in event has a ID, you can also retrieve detailed information about the specific sign-in event by passing its ID.


Note: The sign-in event ID can be obtained by executing Get-MgAuditLogSignIn cmdlet.


Audit Sign-In Activity for the Past 30 Days

Here's a Graph PowerShell script that audits the user sign-in activity for the past 30 days using the Get-MgAuditLogSignIn cmdlet.



  • $startDate is set to 30 days from today.
  • The $startDate is passed to Get-MgAuditLogSignIn cmdlet as the value for createdDateTime parameter. The results are saved in $signIns parameter.
  • The UserPrincipalName, CreatedDateTime, IpAddress, Location and Status are pulled from $signIns parameter and displayed.

Cmdlet Tips


  1. Use Pagination for Large Datasets:
    • Tip: When retrieving sign-in activity for a large number of users or over an extended period, use pagination (-Top parameter) to avoid overwhelming the system or missing data.
    • Example: $logs = Get-MgAuditLogSignIn -Top 100

  2. Filter Sign-Ins by Date Range for Faster Results:
    • Tip: Use the -Filter parameter to limit sign-in records to a specific date range, improving the performance of your query and ensuring that only relevant data is retrieved.
    • Example: Get-MgAuditLogSignIn -Filter "createdDateTime ge 2024-01-01 and createdDateTime le 2024-08-01"

Use Cases


  1. Monitoring Suspicious Sign-In Activities:
    • Scenario: Detecting unusual sign-in patterns (e.g., multiple failed attempts or sign-ins from unexpected locations) is critical for security teams.
    • Implementation: Use Get-MgAuditLogSignIn to retrieve and export sign-in data, ensuring that all login events are tracked for auditing purposes.
    • Benefit: Simplifies the generation of compliance reports, ensuring that all necessary access logs are available for review.

  2. Compliance Reporting for Sign-In Activities:
    • Scenario: Organizations must often generate compliance reports showing user access to critical systems over a defined period.
    • Implementation: Use Get-MgAuditLogSignIn to filter and identify sign-in attempts that may indicate a compromised account.
    • Benefit: Helps improve security posture by proactively identifying and addressing potential threats.

  3. Analyzing User Sign-In Trends:
    • Scenario: Organizations may want to understand when and how frequently users are accessing systems.
    • Implementation: Use Get-MgAuditLogSignIn to gather and analyze user sign-in patterns, such as peak usage times or common sign-in locations.
    • Benefit: Helps optimize resource allocation by identifying busy periods, which can assist in adjusting infrastructure or capacity.

  4. Identifying Stale Accounts:
    • Scenario: User accounts that have not signed in for a long time may be inactive and pose a security risk.
    • Implementation: Use Get-MgAuditLogSignIn to filter out users who haven’t signed in for a specific period, helping administrators review inactive accounts.
    • Benefit: Streamlines the process of identifying stale or unused accounts that can be removed or deactivated to maintain security.

Possible Errors You Might Face

Here are some best practices you can follow while using Get-MgAuditLogSignIn cmdlet:

  • Insufficient Permissions to Access Sign-In Logs: Attempting to retrieve sign-in logs may fail if the account running the cmdlet does not have sufficient permissions. AuditLog.Read.All or Directory.Read.All are the required Graph API permissions.
  • Invalid Filter Syntax error: Check the syntax of your filter query. Ensure it follows the OData query standards. For example, use eq for equality and ensure the property names are correct.
  • Sign-In Activity Data is Incomplete: The cmdlet may return incomplete sign-in activity if there are too many records or filtering criteria are not properly defined. Use pagination (-Top parameter) and specific query filters (e.g., date range or specific users) to retrieve the full set of sign-in data in batches.

Note: Always refer to Get-MgAuditLogSignIn Microsoft Graph PowerShell Documentation to stay updated about the cmdlet.

Frequently Asked Questions

What is Get-MgAuditLogSignIn used for?

Get-MgAuditLogSignIn is a Microsoft Graph PowerShell cmdlet used to retrieve Azure AD sign-in logs. It is commonly used for monitoring user activities, detecting failed logins, and auditing security events.

How can I retrieve sign-in logs for a specific user?

Use the -Filter parameter to query logs for a specific user’s sign-in activity. For example: 


    Get-MgAuditLogSignIn -Filter "userPrincipalName eq 'user@domain.com'" -All

Can I filter sign-in logs by status (e.g., failed sign-ins)?

Yes, you can filter logs by sign-in status using the -Filter parameter. For example: 


    Get-MgAuditLogSignIn -Filter "status/errorCode ne 0" -All

How can I export sign-in logs to a CSV file?

You can export sign-in logs for further analysis using this script: 


    $SignInLogs = Get-MgAuditLogSignIn -All
    $SignInLogs | Select-Object UserPrincipalName, IpAddress, Status, CreatedDateTime | Export-Csv -Path "C:\Path\To\SignInLogs.csv" -NoTypeInformation

Conclusion:

Understanding the detailed syntax of the Get-MgAuditLogSignIn cmdlet allows you to effectively retrieve and filter sign-in activities in Microsoft 365. Each parameter provides a specific function that enhances the cmdlet's flexibility and usability, enabling you to tailor your queries to your exact requirements.


Related Articles:

Using Get-MgDirectoryRole in Graph PowerShell
Using Get-MgUserLicenseDetail in Graph PowerShell
Using Find-GraphMgCommand in Graph PowerShell
Connect to Microsoft 365 Using PowerShell
How to Create Bulk Users in Office 365 Using Graph PowerShell?
Create Microsoft 365 Group Using Microsoft Graph PowerShell
Block Microsoft 365 User Using Microsoft Graph PowerShell
Assign Microsoft 365 License Using Graph PowerShell
Microsoft 365 User Management Using Graph PowerShell
Checking Group Membership in Microsoft 365
Bulk Assign Microsoft 365 License
Find Inactive Users in Microsoft 365
Using Powershell Graph Search Query
Using Powershell Graph Filter Query
Using Where-Object In Graph PowerShell
Using Expand Property In Graph PowerShell
Using Select Object In Graph PowerShell
Using -Contains Operator In Graph PowerShell
Add User to Multiple Microsoft 365 Groups Using Graph PowerShell
Get Microsoft 365 User Location Using Graph PowerShell
Import Microsoft 365 Groups from CSV File Using Graph PowerShell
Microsoft 365 Group User Import Using Graph PowerShell
Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                            

                            

                            

                            

                            

                        

                    

                

            

        

    

    
    
    

        

            © m365corner.com. All Rights Reserved.

            Design by HTML Codex