Skip to main content

Get-MgAuditLogSignInDetails

SYNOPSIS

Get Microsoft Entra ID (Azure AD) Audit Log Sign-In Details

SYNTAX

Get-MgAuditLogSignInDetails [[-StartDate] <String>] [[-EndDate] <String>] [[-Users] <String[]>]
 [[-LastXSignIns] <Int32>] [[-IPAddresses] <Int32>] [-BasicAuthenticationOnly] [-FailuresOnly]
 [-BadCredentialsOnly] [-LastLogonOnly] [[-ConditionalAccessPolicyName] <String>] [-AnalyzeReportOnlyCA]
 [[-TimeRange] <String>] [[-OutputFile] <String>] [-ForceNewToken] [-ProgressAction <ActionPreference>]
 [<CommonParameters>]

DESCRIPTION

Get Microsoft Entra ID (Azure AD) Audit Log Sign-In Details with various filtering options.

EXAMPLES

EXAMPLE 1

Get-MgAuditLogSignInDetails -StartDate '2024-01-01' -EndDate '2024-01-31' -Users 'user1@contoso.com', 'user2@contoso.com'

Retrieves sign-in logs for specified users between January 1, 2024, and January 31, 2024.

EXAMPLE 2

Get-MgAuditLogSignInDetails -LastXSignIns 100 -FailuresOnly

Retrieves the last 100 failed sign-in attempts.

EXAMPLE 3

Get-MgAuditLogSignInDetails -AnalyzeReportOnlyCA

Retrieves sign-in logs with Conditional Access applied in ReportOnly mode.

PARAMETERS

-StartDate

The start date for filtering sign-in logs (format: yyyy-MM-dd).

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-EndDate

The end date for filtering sign-in logs (format: yyyy-MM-dd).

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Users

An array of user principal names to filter the sign-in logs.

Type: String[]
Parameter Sets: (All)
Aliases:

Required: False
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-LastXSignIns

The number of most recent sign-ins to retrieve. The other filters (StartDate, EndDate, Users, etc.) will still apply.

Type: Int32
Parameter Sets: (All)
Aliases:

Required: False
Position: 4
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False

-IPAddresses

A comma-separated list of IP addresses to filter the sign-in logs.

Type: Int32
Parameter Sets: (All)
Aliases:

Required: False
Position: 5
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False

-BasicAuthenticationOnly

Switch to filter sign-ins using legacy authentication protocols.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-FailuresOnly

Switch to filter only failed sign-in attempts.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-BadCredentialsOnly

Switch to filter sign-ins with bad username or password (error code 50126).

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-LastLogonOnly

Switch to get only the last logon details for each user.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-ConditionalAccessPolicyName

Filter sign-ins by a specific Conditional Access Policy Name.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 6
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-AnalyzeReportOnlyCA

Switch to filter sign-ins with Conditional Access applied in ReportOnly mode. Only sign-ins where the policy was used (exclude 'NotApplied') are returned.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-TimeRange

Remplace plusieurs switches par un seul paramètre avec ValidateSet

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 7
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-OutputFile

The path to the output file where the results will be saved.

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: 8
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-ForceNewToken

Switch to force the acquisition of a new authentication token.

Type: SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-ProgressAction

{{ Fill ProgressAction Description }}

Type: ActionPreference
Parameter Sets: (All)
Aliases: proga

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES