none
Search-UnifiedAuditLog RRS feed

  • Question

  • When running the the following command against Office 365,

    $strtTime=(get-date).Adddays(-1)

    $endTime=get-date

    Search-UnifiedAuditLog -ResultSize 5000 -StartDate $strtTime -EndDate $endTime -RecordType "azureactivedirectorystslogon" -Operations "userloggedin"

    I do get a list of successful sign in.  However, for some users I get duplicates.  When inspecting the duplicates, the extended property data is identical.  More confusing is that the returned ID on the duplicate is different.  This does not happen for each record though.  Any ideas where I can trace down the issue?

    Wednesday, October 23, 2019 6:46 PM

All replies

  • The following will prevent incorrect boundaries and simplify the code.

    $props = @{
    	StartTime = [datetime]::Today.Adddays(-1)
    	EndTime  = [datetime]::Today
    	ResultSize = 5000
    	RecordType = 'azureactivedirectorystslogon'
    	Operations = 'userloggedin'
    }
    Search-UnifiedAuditLog @props

    A user can have multiple logon records because they can login from multiple devices or logout and login again.  I believe a login ios only good for 24 hours and must be refreshed.  Also your dates are not for the previous day but are for the previosu 24 hours so two days of logins would be returned.


    \_(ツ)_/


    • Edited by jrv Wednesday, October 23, 2019 8:04 PM
    Wednesday, October 23, 2019 8:01 PM