Get MgAuditLogSigninInfo

SYNOPSIS

Get Microsoft Entra ID Audit Log Sign-In Details

SYNTAX

Get-MgAuditLogSigninInfo [[-StartDate] <Object>] [[-EndDate] <Object>] [[-Users] <String[]>]
 [[-LastXSignIns] <Int32>] [[-IPAddresses] <Int32>] [-BasicAuthenticationOnly] [-SuccessOnly] [-FailureOnly]
 [-BadCredentialsOnly] [-LastLogonOnly] [-NonMFASignInsOnly] [-MFASignInsOnly] [-NonInteractiveSignIns]
 [-ServicePrincipalSignIns] [-ManagedIdentitySignIns] [[-ConditionalAccessPolicyName] <String>]
 [-ConditionalAccessPolicyNotApplied] [-ConditionalAccessPolicySuccessOnly]
 [-ConditionalAccessPolicyFailedOnly] [[-TimeRange] <String>] [-UseDatePicker] [-ForceNewToken]
 [-AnalyzeCAPInReportOnly] [-ExportToExcel] [-ProgressAction <ActionPreference>] [<CommonParameters>]

DESCRIPTION

Get Microsoft Entra ID Audit Log Sign-In Details with various filtering options.

EXAMPLES

EXAMPLE 1

Get-MgAuditLogSigninInfo -StartDate '2024-01-01' -EndDate '2024-01-31' -Users 'user1@contoso.com', 'user2@contoso.com'

Retrieves sign-in logs for specified users between January 1, 2024, and January 31, 2024.

EXAMPLE 2

Get-MgAuditLogSigninInfo -LastXSignIns 100 -FailureOnly

Retrieves the last 100 failed sign-in attempts.

EXAMPLE 3

Get-MgAuditLogSigninInfo -AnalyzeCAPInReportOnly

Retrieves sign-in logs with Conditional Access applied in ReportOnly mode.

EXAMPLE 4

Get-MgAuditLogSigninInfo -StartDate (Get-Date).AddHours(-1) -NonMFASignInsOnly

Retrieves non-MFA sign-ins from the last hour.

PARAMETERS

-StartDate

The start date for filtering sign-in logs. Accepts either a DateTime object or a string in yyyy-MM-dd format.

Type: Object
Parameter Sets: (All)
Aliases:

Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-EndDate

The end date for filtering sign-in logs. Accepts either a DateTime object or a string in yyyy-MM-dd format.

Type: Object
Parameter Sets: (All)
Aliases:

Required: False
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Users

An array of user principal names to filter the sign-in logs.

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-LastXSignIns

The number of most recent sign-ins to retrieve. The other filters (StartDate, EndDate, Users, etc.) will still apply.

Type: Int32
Parameter Sets: (All)
Aliases:

Required: False
Position: 4
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False

-IPAddresses

A comma-separated list of IP addresses to filter the sign-in logs.

Type: Int32
Parameter Sets: (All)
Aliases:

Required: False
Position: 5
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False

-BasicAuthenticationOnly

Switch to filter sign-ins using legacy authentication protocols.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-SuccessOnly

Switch to filter only successful sign-in attempts.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-FailureOnly

Switch to filter only failed sign-in attempts.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-BadCredentialsOnly

Switch to filter sign-ins with bad username or password (error code 50126).

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-LastLogonOnly

Switch to get only the last logon details for each user.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-NonMFASignInsOnly

Switch to filter non-MFA sign-ins only.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-MFASignInsOnly

Switch to filter MFA sign-ins only.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-NonInteractiveSignIns

Switch to filter non-interactive sign-ins only.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-ServicePrincipalSignIns

Switch to filter service principal sign-ins only.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-ManagedIdentitySignIns

Switch to filter managed identity sign-ins only.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-ConditionalAccessPolicyName

Filter sign-ins by a specific Conditional Access Policy Name.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 6
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ConditionalAccessPolicyNotApplied

Switch to filter sign-ins where the Conditional Access Policy was not applied.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-ConditionalAccessPolicySuccessOnly

Switch to filter sign-ins where the Conditional Access Policy evaluation was successful.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-ConditionalAccessPolicyFailedOnly

Switch to filter sign-ins where the Conditional Access Policy evaluation failed.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-TimeRange

Remplace plusieurs switches par un seul paramètre avec ValidateSet

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 7
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-UseDatePicker

Switch to open an interactive calendar dialog to select StartDate and EndDate visually. Requires Windows with .NET Windows Forms support (Windows PowerShell or pwsh on Windows). Any values already provided via -StartDate or -EndDate are used as the initial selection in the pickers.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-ForceNewToken

Switch to force the acquisition of a new authentication token.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-AnalyzeCAPInReportOnly

Switch to filter sign-ins with Conditional Access applied in ReportOnly mode. Only sign-ins where the policy was used (exclude ‘NotApplied’) are returned.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-ExportToExcel

Switch to export the sign-in details report to an Excel file. The file will be saved in the user’s profile directory with a timestamped filename.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES

https://ps365.clidsys.com/docs/commands/Get-MgAuditLogSigninInfo

Getting started

Azure

Entra

Exchange

Intune

M365 Apps

Misc

M S Commerce

​SYNOPSIS

​SYNTAX

​DESCRIPTION

​EXAMPLES

​EXAMPLE 1

​EXAMPLE 2

​EXAMPLE 3

​EXAMPLE 4

​PARAMETERS

​-StartDate

​-EndDate

​-Users

​-LastXSignIns

​-IPAddresses

​-BasicAuthenticationOnly

​-SuccessOnly

​-FailureOnly

​-BadCredentialsOnly

​-LastLogonOnly

​-NonMFASignInsOnly

​-MFASignInsOnly

​-NonInteractiveSignIns

​-ServicePrincipalSignIns

​-ManagedIdentitySignIns

​-ConditionalAccessPolicyName

​-ConditionalAccessPolicyNotApplied

​-ConditionalAccessPolicySuccessOnly

​-ConditionalAccessPolicyFailedOnly

​-TimeRange

​-UseDatePicker

​-ForceNewToken

​-AnalyzeCAPInReportOnly

​-ExportToExcel

​CommonParameters

​INPUTS

​OUTPUTS

​NOTES

​RELATED LINKS