locked
Calling attributes of objects returned by Get-AzureADAuditSignInLogs RRS feed

  • Question

  • Hi,

    I've written a script to pull sign-in logs for Azure AD guest user accounts from the past 90 days. I'm struggling to figure out how to pull specific attributes from the sign-in log entries, and it's just returning the whole object. Can anyone point me in the right direction please?

    $queryStartDateTime = (Get-Date).AddDays(-90)
    $queryStartDateTimeFilter = '{0:yyyy-MM-dd}T{0:HH:mm:sszzz}' -f $queryStartDateTime
    
    Connect-AzureAD
    $guestUsers = Get-AzureADUser -Filter "UserType eq 'Guest' and AccountEnabled eq true"
    foreach ($guestUser in $guestUsers) {
        $guestUserSignIns = Get-AzureADAuditSignInLogs -Filter "UserID eq '$($guestUser.ObjectID)' and createdDateTime ge $queryStartDateTimeFilter"
        if ($guestUserSignIns -eq $null) {
            Write-Output "No logins for $guestUser.displayname within the past 90 days"
        } else {
            foreach ($guestUserSignIn in $guestUserSignIns) {
                Write-Output "$guestUserSignIn.UserDisplayName logged into $guestUserSignIn.AppDisplayName on $guestUserSignIn.CreatedDateTime from IP $guestUserSignIn.IpAddress"
            }
        }
    }

    Thanks

    Friday, June 12, 2020 10:38 AM

Answers

  • Fixed it :)

    $queryStartDateTime = (Get-Date).AddDays(-90) $queryStartDateTimeFilter = '{0:yyyy-MM-dd}T{0:HH:mm:sszzz}' -f $queryStartDateTime Clear Connect-AzureAD

    $guestUsers = Get-AzureADUser -Filter "UserType eq 'Guest' and AccountEnabled eq true" foreach ($guestUser in $guestUsers) { $guestUserSignIns = Get-AzureADAuditSignInLogs -Filter "UserID eq '$($guestUser.ObjectID)' and createdDateTime ge $queryStartDateTimeFilter" if ($guestUserSignIns -eq $null) { $props = [ordered]@{ UserDisplayName = $guestUser.DisplayName UserPrincipalName = $guestUser.UserPrincipalName AppUserAccessed = $null AzureADAuditSignInLogEntryDate = "None within past 90 days" UsersIpAddress = $null } New-Object PsObject -Property $props | Export-Csv .\AADGuestUsersLogins-$(Get-Date -UFormat %d-%m-%y).csv -NoTypeInformation -Append } else { For ($i=0; $i -lt $guestUserSignIns.count; $i++) { $props = [ordered]@{ UserDisplayName = $guestUserSignIns[$i].UserDisplayName UserPrincipalName = $guestUserSignIns[$i].UserPrincipalName AppUserAccessed = $guestUserSignIns[$i].AppDisplayName AzureADAuditSignInLogEntryDate = $guestUserSignIns[$i].CreatedDateTime UsersIpAddress = $guestUserSignIns[$i].IpAddress } } New-Object PsObject -Property $props | Export-Csv .\AADGuestUsersLogins-$(Get-Date -UFormat %d-%m-%y).csv -NoTypeInformation -Append } }




    • Marked as answer by David4576 Friday, June 12, 2020 1:26 PM
    • Edited by David4576 Friday, June 12, 2020 1:58 PM
    Friday, June 12, 2020 1:26 PM

All replies

  • Are these copy & paste errors or typos?

    In your -Filter it should be "-eq" instead of "eq" and "-and" instead of "and" and "$true" instead of "true". And there are more operators wrong in your code.


    Live long and prosper!

    (79,108,97,102|%{[char]$_})-join''




    • Edited by BOfH-666 Friday, June 12, 2020 10:50 AM
    Friday, June 12, 2020 10:48 AM
  • I don't believe you strictly need that, operators are running fine.
    Friday, June 12, 2020 10:58 AM
  • The filter is not an AD filter.  It is an "oData" filter which uses a different syntax.

    See: https://www.odata.org/documentation/odata-version-3-0/odata-version-3-0-core-protocol/#queryingcollections


    \_(ツ)_/

    Friday, June 12, 2020 11:09 AM
  • Ah okay yeah I was just reading that here: https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureadauditsigninlogs?view=azureadps-2.0-preview

    -Filter

    The oData v3.0 filter statement. Controls which objects are returned.

    Is the Get-AzureADAuditSignInLogs cmdlet not returning objects that I can just .attribute then to pull out specific data then?

    Edit: think I've figured it out, I think it's returning a series of objects so I need to call which one in the array.

    Cheers


    • Edited by David4576 Friday, June 12, 2020 11:16 AM
    Friday, June 12, 2020 11:14 AM
  • Hmmm, not quite working calling each object in the arry. Any ideas?

    $queryStartDateTime = (Get-Date).AddDays(-90)
    $queryStartDateTimeFilter = '{0:yyyy-MM-dd}T{0:HH:mm:sszzz}' -f $queryStartDateTime
    
    Connect-AzureAD
    $guestUsers = Get-AzureADUser -Filter "UserType eq 'Guest' and AccountEnabled eq true"
    foreach ($guestUser in $guestUsers) {
        Write-Output "Getting User's logins for the past 90 days"
        $guestUserSignIns = Get-AzureADAuditSignInLogs -Filter "UserID eq '$($guestUser.ObjectID)' and createdDateTime ge $queryStartDateTimeFilter"
        $numObj = $guestUserSignIns.count
        if ($guestUserSignIns -eq $null) {
            Write-Output "No logins for $guestUser.displayname within the past 90 days"
        } else {
            $currentObj = 0
            foreach ($guestUserSignIn in $guestUserSignIns) {
                Write-Output "$guestUserSignIn[$currentObj].UserDisplayName logged in"
                $currentObj++
            }
        }
    }

    Friday, June 12, 2020 12:30 PM
  • Fixed it :)

    $queryStartDateTime = (Get-Date).AddDays(-90) $queryStartDateTimeFilter = '{0:yyyy-MM-dd}T{0:HH:mm:sszzz}' -f $queryStartDateTime Clear Connect-AzureAD

    $guestUsers = Get-AzureADUser -Filter "UserType eq 'Guest' and AccountEnabled eq true" foreach ($guestUser in $guestUsers) { $guestUserSignIns = Get-AzureADAuditSignInLogs -Filter "UserID eq '$($guestUser.ObjectID)' and createdDateTime ge $queryStartDateTimeFilter" if ($guestUserSignIns -eq $null) { $props = [ordered]@{ UserDisplayName = $guestUser.DisplayName UserPrincipalName = $guestUser.UserPrincipalName AppUserAccessed = $null AzureADAuditSignInLogEntryDate = "None within past 90 days" UsersIpAddress = $null } New-Object PsObject -Property $props | Export-Csv .\AADGuestUsersLogins-$(Get-Date -UFormat %d-%m-%y).csv -NoTypeInformation -Append } else { For ($i=0; $i -lt $guestUserSignIns.count; $i++) { $props = [ordered]@{ UserDisplayName = $guestUserSignIns[$i].UserDisplayName UserPrincipalName = $guestUserSignIns[$i].UserPrincipalName AppUserAccessed = $guestUserSignIns[$i].AppDisplayName AzureADAuditSignInLogEntryDate = $guestUserSignIns[$i].CreatedDateTime UsersIpAddress = $guestUserSignIns[$i].IpAddress } } New-Object PsObject -Property $props | Export-Csv .\AADGuestUsersLogins-$(Get-Date -UFormat %d-%m-%y).csv -NoTypeInformation -Append } }




    • Marked as answer by David4576 Friday, June 12, 2020 1:26 PM
    • Edited by David4576 Friday, June 12, 2020 1:58 PM
    Friday, June 12, 2020 1:26 PM