Script Repository


User logins to Azure AD

July 22, 2021
98

The script generates a report containing the dates when the specified user logged on to Azure AD for the specified period. To execute the script, create a report with the corresponding parameters and custom columns. The report should have no scope. The account whose login dates will be present in the report will be selected using a report parameter. To connect to Microsoft 365, the script uses the credentials specified in the Run As section (located on the Script tab).

To execute the script, install AzureADPreview PowerShell module on the computer where Adaxes service runs.

Parameters:

  • $userParamName - Specifies the name of the parameter for selecting a user whose login dates will be present in the report. The parameter name should be specified with the param- prefix.
  • $daysParamName - Specifies the name of the parameter used to select the time period to output login dates for. The parameter name should be specified with the param- prefix.
  • $dateColumnID - Specifies the identifier of the custom column that will store user login dates. To get the identifier:
    1. In the Report-specific columns section, on the Columns tab, right-click the custom column.
    2. In the context menu, navigate to Copy and click Column ID.
    3. The column identifier will be copied to clipboard.
  • $applicationColumnID - Specifies the identifier of the custom column that will store the target applications .
  • $statusColumnID - Specifies the identifier of the custom column that will store the login statuses.
  • $ipAddressColumnID - Specifies the identifier of the custom column that will store IP adresses of the devices used to log in.
  • $conditionalAccessColumnID - Specifies the identifier of the custom column that will store the applied conditional access rules.
  • $authRequirementColumnID - Specifies the identifier of the custom column that will store login authentication requirements.
Edit Remove
PowerShell
Import-Module AzureADPreview

# Parameter names
$userParamName = "param-User" # TODO: modify me
$daysParamName = "param-Days" # TODO: modify me

# Custom column IDs
$dateColumnID = "{f7553bac-8312-4898-961a-801e4ab5afd8}" # TODO: modify me
$applicationColumnID = "{899c95bc-29ae-4907-b929-ca53356c10dd}" # TODO: modify me
$statusColumnID = "{91c41324-db35-4586-a574-adc376d74930}" # TODO: modify me
$ipAddressColumnID = "{a2ada9a5-05e7-43fe-9f75-0e3866899e62}" # TODO: modify me
$conditionalAccessColumnID = "{d1c81aab-cd50-4a3b-91cd-5e6d73176585}" # TODO: modify me
$authRequirementColumnID = "{858369ac-3655-4348-b53a-d4bad5b6ff0b}" # TODO: modify me

# Get parameter values
$days = $Context.GetParameterValue($daysParamName)
$userDN = $Context.GetParameterValue($userParamName)

# Get user UPNs
$user = $Context.BindToObjectByDN($userDN)
$userUPN = $user.Get("userPrincipalName")

# Calculate date for filter
$date = $((Get-Date).AddDays(-$days)).ToString("yyyy-MM-dd")

# Get credentials
$password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
$credential = New-Object System.Management.Automation.PsCredential($Context.RunAs.UserName, $password)

try
{
    # Connect to AzureAD
    Connect-AzureAD -Credential $credential
    
    # Retrieve data
    $filter = "userPrincipalName eq '" + $userUPN + "' and createdDateTime gt " + $date
    $logs = Get-AzureADAuditSignInLogs -Filter $filter
    
    # Generate report
    foreach ($log in $logs)
    {
        $columnValues = @{ }
        $columnValues.Add($dateColumnID, $log.CreatedDateTime)
        $columnValues.Add($applicationColumnID, $log.AppDisplayName)
        if ($log.Status.ErrorCode -eq 0)
        {
            $status = "Success"
        }
        else
        {
            $status = "Failure reason: " + $log.Status.FailureReason
        }
        $columnValues.Add($statusColumnID, $status)
        $columnValues.Add($ipAddressColumnID, $log.IpAddress)
        $columnValues.Add($conditionalAccessColumnID, $log.ConditionalAccessStatus)
        if ($NULL -ne $log.MfaDetail)
        {
            $authRequirement = "Multi-factor authentication"
        }
        else
        {
            $authRequirement = "Single-factor authentication"
        }
        $columnValues.Add($authRequirementColumnID, $authRequirement)
        $Context.Items.Add($user, $columnValues)
    }    
}
finally
{
    # Close connection
	Disconnect-AzureAD
}

Comments ( 0 )
No results found.
Leave a comment