Skip to main content

SYNOPSIS

Get Microsoft Entra ID Audit Log Sign-In Details

SYNTAX

DESCRIPTION

Get Microsoft Entra ID Audit Log Sign-In Details with various filtering options.

EXAMPLES

EXAMPLE 1

Retrieves sign-in logs for specified users between January 1, 2024, and January 31, 2024.

EXAMPLE 2

Retrieves the last 100 failed sign-in attempts.

EXAMPLE 3

Retrieves sign-in logs with Conditional Access applied in ReportOnly mode.

EXAMPLE 4

Retrieves non-MFA sign-ins from the last hour.

PARAMETERS

-StartDate

The start date for filtering sign-in logs. Accepts either a DateTime object or a string in yyyy-MM-dd format.

-EndDate

The end date for filtering sign-in logs. Accepts either a DateTime object or a string in yyyy-MM-dd format.

-Users

An array of user principal names to filter the sign-in logs.

-LastXSignIns

The number of most recent sign-ins to retrieve. The other filters (StartDate, EndDate, Users, etc.) will still apply.

-IPAddresses

A comma-separated list of IP addresses to filter the sign-in logs.

-BasicAuthenticationOnly

Switch to filter sign-ins using legacy authentication protocols.

-SuccessOnly

Switch to filter only successful sign-in attempts.

-FailureOnly

Switch to filter only failed sign-in attempts.

-BadCredentialsOnly

Switch to filter sign-ins with bad username or password (error code 50126).

-LastLogonOnly

Switch to get only the last logon details for each user.

-NonMFASignInsOnly

Switch to filter non-MFA sign-ins only.

-MFASignInsOnly

Switch to filter MFA sign-ins only.

-NonInteractiveSignIns

Switch to filter non-interactive sign-ins only.

-ServicePrincipalSignIns

Switch to filter service principal sign-ins only.

-ManagedIdentitySignIns

Switch to filter managed identity sign-ins only.

-ConditionalAccessPolicyName

Filter sign-ins by a specific Conditional Access Policy Name.

-ConditionalAccessPolicyNotApplied

Switch to filter sign-ins where the Conditional Access Policy was not applied.

-ConditionalAccessPolicySuccessOnly

Switch to filter sign-ins where the Conditional Access Policy evaluation was successful.

-ConditionalAccessPolicyFailedOnly

Switch to filter sign-ins where the Conditional Access Policy evaluation failed.

-TimeRange

Remplace plusieurs switches par un seul paramètre avec ValidateSet

-UseDatePicker

Switch to open an interactive calendar dialog to select StartDate and EndDate visually. Requires Windows with .NET Windows Forms support (Windows PowerShell or pwsh on Windows). Any values already provided via -StartDate or -EndDate are used as the initial selection in the pickers.

-ForceNewToken

Switch to force the acquisition of a new authentication token.

-AnalyzeCAPInReportOnly

Switch to filter sign-ins with Conditional Access applied in ReportOnly mode. Only sign-ins where the policy was used (exclude ‘NotApplied’) are returned.

-ExportToExcel

Switch to export the sign-in details report to an Excel file. The file will be saved in the user’s profile directory with a timestamped filename.

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES

https://ps365.clidsys.com/docs/commands/Get-MgAuditLogSigninInfo