Question 105600 in Azure Question posted in
The official documentation to get you started can be found here.

Powershell – Get-AzureADAuditSignInLogs multiple filters

I’m trying to Get last signin date for Global Admins

$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Global Administrator'}
$admins = @(Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | select DisplayName, UserPrincipalName)

Foreach ($admin in $admins){
     $upn = $admin.UserPrincipalName

  
      $signons = Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq '$upn' " -Top 1 | select UserDisplayName, @{Name = 'LastSignIn'; Expression = {$_.CreatedDateTime}}
        }

And above code works as expected for users who have entry in AuditSignInLogs, but i want to return users who never logged in too, so modified above filter
(all users in for loop)

$signons = Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq '$upn' or CreatedDateTime eq '$null'" -Top 1 | select UserDisplayName, @{Name = 'LastSignIn'; Expression = {$_.CreatedDateTime}}

But getting error "Message: Invalid filter clause"

also tried or CreatedDateTime eq '' but same error

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    thanks @kavyasaraboju-MT

    Your hint helped me a lot, based on it, i modified my code which gets what i want

    $role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Global Administrator'}
$admins = @(Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | select DisplayName, UserPrincipalName)

$results = @()
Foreach ($admin in $admins){
     $upn = $admin.UserPrincipalName


      $LoginRecord = Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq '$upn'" -Top 1
      Start-Sleep -Seconds 2
      if($LoginRecord.Count -gt 0){
          $lastLogin = $LoginRecord.CreatedDateTime
          }
          else{
          $lastLogin = 'no login record'
         }
        $item = @{
            userUPN=$admin.UserPrincipalName
            userDisplayName = $admin.DisplayName
            lastLogin = $lastLogin
           
         }

       
       $results += New-Object PSObject -Property $item
      
  }

$results | export-csv -Path c:result.csv -NoTypeInformation -Encoding UTF8

  2. 0

    Please check below powershell commands.

    I have initially checked the same for users .
    enter image description here

    Then checked the same for admin role i.e;admins and could get the lastlogon for all the admins including who has no recored yet in signins.

    $AllSiginLogs = Get-AzureADAuditSignInLogs -All $true
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Global Administrator'}
$admins = @(Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | select DisplayName, UserPrincipalName)

$results = @()
Foreach ($admin in $admins){

    $LoginRecord = $AllSiginLogs | Where-Object{ $_.UserId -eq $admin.ObjectId  } | Sort-Object CreatedDateTime -Descending
    if($LoginRecord.Count -gt 0){
        $lastLogin = $LoginRecord[0].CreatedDateTime
    }else{
        $lastLogin = 'no login record'
    }
    $item = @{
        userUPN=$admin.UserPrincipalName
        userDisplayName = $admin.DisplayName
        lastLogin = $lastLogin
        accountEnabled = $admin.AccountEnabled
    }
    $results += New-Object PSObject -Property $item  

    Write-Output $results
    
}
#$results | export-csv -Path d:result.csv -NoTypeInformation

    Result:
    enter image description here

    Reference:
    userlastlogon-export

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search