I'm looking to automate the process of getting sign-in logs for our EntraID Enterprise Apps, but my existing script only pulls 'User sign-ins (interactive)'. I want to modify this so that it gathers all four types of sign-ins: User sign-ins (interactive), User sign-ins (non-interactive), Service principal sign-ins, and Managed identity sign-ins. Currently, I'm using this command to filter the logs: `$signInLogs = Get-MgAuditLogSignIn -Filter "createdDateTime ge $startDate and appDisplayName eq '$($sp.DisplayName)'"`. How can I adjust my code to achieve this?
3 Answers
You can also try the `/reports/servicePrincipalSignInActivities` endpoint in the beta API. While it only shows the most recent sign-in, it provides broader coverage than just the last 30 days. Here's a sample script to identify inactive apps using this endpoint:
```powershell
$AppLastSignInsRaw = Send-GraphRequest -AccessToken $GLOBALMsGraphAccessToken.access_token -Method GET -Uri "/reports/servicePrincipalSignInActivities" -BetaAPI -UserAgent $($GlobalAuditSummary.UserAgent.Name)
```
This should give you a good overview of the last sign-in activities across your applications!
To get all sign-in types, you'll need to modify your filter to include the specific event types and utilize the beta endpoint. Try this command to also capture non-interactive sign-ins:
`$signInLogs = Get-MgBetaAuditLogSignIn -Filter "signInEventTypes/any(t: t eq 'nonInteractiveUser') and createdDateTime ge $startDate and appDisplayName eq '$($sp.DisplayName)'"`
Also, have you considered using Azure's Diagnostic Settings? It might be easier than scripting everything yourself; you can dump logs into an Azure Storage Account for streamlined access. That way, you avoid extra engineering overhead!
I'm also curious about the costs associated with Azure Storage. If you figure it out, I'd love to know!
Absolutely! We've switched to using Log Analytics for our sign-in logs, and it significantly speeds up our querying process. You can retain logs longer than just 30 days, which is super handy for troubleshooting and reporting.
For extraction involving service principals, consider adding a source parameter to your requests. Here’s a function I use:
```powershell
Function Get-MgSpSignIns {
param(
$filter
)
process {
$response = Invoke-MgGraphRequest -uri "https://graph.microsoft.com/beta/auditLogs/signIns?&source=sp&`$filter=$filter" -OutputType PSObject | Select -Expand Value
return $response
}
}
```
This allows you to easily target service principal sign-ins. Check out my blog for more details on multi-tenant applications!
Thanks a lot for that snippet! It's going to save me time.
That endpoint sounds promising! I'll definitely give it a shot.