skip to Main Content

I’m trying to Get last signin date for Global Admins

$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Global Administrator'}
$admins = @(Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | select DisplayName, UserPrincipalName)

Foreach ($admin in $admins){
     $upn = $admin.UserPrincipalName

  
      $signons = Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq '$upn' " -Top 1 | select UserDisplayName, @{Name = 'LastSignIn'; Expression = {$_.CreatedDateTime}}
        }

And above code works as expected for users who have entry in AuditSignInLogs, but i want to return users who never logged in too, so modified above filter
(all users in for loop)

$signons = Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq '$upn' or CreatedDateTime eq '$null'" -Top 1 | select UserDisplayName, @{Name = 'LastSignIn'; Expression = {$_.CreatedDateTime}}

But getting error "Message: Invalid filter clause"

also tried or CreatedDateTime eq '' but same error

2

Answers


  1. Chosen as BEST ANSWER

    thanks @kavyasaraboju-MT

    Your hint helped me a lot, based on it, i modified my code which gets what i want

    $role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Global Administrator'}
    $admins = @(Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | select DisplayName, UserPrincipalName)
    
    $results = @()
    Foreach ($admin in $admins){
         $upn = $admin.UserPrincipalName
    
    
          $LoginRecord = Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq '$upn'" -Top 1
          Start-Sleep -Seconds 2
          if($LoginRecord.Count -gt 0){
              $lastLogin = $LoginRecord.CreatedDateTime
              }
              else{
              $lastLogin = 'no login record'
             }
            $item = @{
                userUPN=$admin.UserPrincipalName
                userDisplayName = $admin.DisplayName
                lastLogin = $lastLogin
               
             }
    
           
           $results += New-Object PSObject -Property $item
          
      }
    
    $results | export-csv -Path c:result.csv -NoTypeInformation -Encoding UTF8
    

  2. Please check below powershell commands.

    I have initially checked the same for users .
    enter image description here

    Then checked the same for admin role i.e;admins and could get the lastlogon for all the admins including who has no recored yet in signins.

    $AllSiginLogs = Get-AzureADAuditSignInLogs -All $true
    $role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Global Administrator'}
    $admins = @(Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | select DisplayName, UserPrincipalName)
    
    $results = @()
    Foreach ($admin in $admins){
    
        $LoginRecord = $AllSiginLogs | Where-Object{ $_.UserId -eq $admin.ObjectId  } | Sort-Object CreatedDateTime -Descending
        if($LoginRecord.Count -gt 0){
            $lastLogin = $LoginRecord[0].CreatedDateTime
        }else{
            $lastLogin = 'no login record'
        }
        $item = @{
            userUPN=$admin.UserPrincipalName
            userDisplayName = $admin.DisplayName
            lastLogin = $lastLogin
            accountEnabled = $admin.AccountEnabled
        }
        $results += New-Object PSObject -Property $item  
    
        Write-Output $results
        
    }
    #$results | export-csv -Path d:result.csv -NoTypeInformation
    

    Result:
    enter image description here

    Reference:
    userlastlogon-export

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search