Forum Discussion
Solved
AAD Sign In Activity Details: Getting the Result Details
Hello,
I've spent hours figuring out how to write a script using the "Get-MgAuditLogSignIn" to create a report showing which sign-in events had a "Result detail" of "Correct password" that occurred outside a set of predefined locations for all users in the last 24 hours.
The concept is to be able to run this script daily to check which users may have had a guessed password from someone outside a series of predefined locations.
The screenshot below communicates, in a different way, what info I want pulled for each user.
The basic script I'm running revolves around this generally:
# Set PowerShell execution policy
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
# Install the Microsoft Graph PowerShell Package for Reports
Install-Module Microsoft.Graph.Reports
# Verify Microsoft Graph was Installed
Get-InstalledModule Microsoft.Graph
# Sign in with the required permissions to use the "Get-MgAuditLogSignIn" cmdlet
Connect-MgGraph -Scopes "AuditLog.Read.All", "Directory.Read.All"
# Then some type of filtering using "Get-MgAuditLogSignIn"
# When done, sign out of Microsoft Graph
Disconnect-MgGraph
The hope is to have a script that produces the name, email, time, location, and "correct password"/Result detail for each user in the last 24 hours in a table format.
Any feedback would be greatly appreciated.
Here are some of the sources I've tried:
https://learn.microsoft.com/en-us/graph/aad-advanced-queries?tabs=powershell
https://learn.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0-preview
https://learn.microsoft.com/en-us/answers/questions/1098591/export-authentication-details-from-azure-sign-in-l
https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadauditsigninlogs?view=azureadps-2.0-preview
https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.reports/get-mgauditlogsignin?view=graph-powershell-1.0
https://learn.microsoft.com/en-us/powershell/microsoftgraph/get-started?toc=%2Fgraph%2Ftoc.json&view=graph-powershell-1.0
https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.signins/get-mguserauthenticationmethod?view=graph-powershell-1.0
- Said data is only exposed via the /beta Graph API endpoints, that is Get-MgBetaAuditLogSignIn if using PowerShell.
- Said data is only exposed via the /beta Graph API endpoints, that is Get-MgBetaAuditLogSignIn if using PowerShell.
- When I run that code, the error I get is "Neither tenant is B2C or tenant doesn't have premium license"
Can that cmdlt only run with an Azure AD Premium P1 or P2 license?- That's a requirement, sadly.
