Export Microsoft 365 Users’ Sign-in Report Using PowerShell

Note: Depending on your requirements, you can create a self-signed certificate. Before employing certificate-based authentication, it is crucial to register an application in Azure AD.

The script features predefined filters to meet your specific needs, excelling in these scenarios:

Note: The script retrieves sign-in data using the Get-MgBetaAuditLogSignin cmdlet and then filter the log based on the parameters you provide.

• List users with risky sign-ins in Microsoft 365
• Export Microsoft 365 guest user sign-in report
• Export interactive sign-ins in MS Entra ID
• Export Azure AD non-interactive sign-ins
• View Entra users’ successful sign-in attempts
• Identify Microsoft 365 users’ failed sign-in attempts
• Retrieve CA policies applied sign-ins
• Retrieve sign-in attempts without CA policy
• Track successful CA policy enforcement in Entra sign-in logs
• Track conditional access sign-in failures in Entra
• Get login history for a specific user
• Export Microsoft 365 sign-in details for a list of users

Risky sign-ins could indicate potential threats, such as compromised accounts or malicious activities. By monitoring and analyzing these sign-ins, you can take proactive measures to protect your organization and respond swiftly to security incidents. Using the script with –RiskySignInsOnly parameter, you can generate a report that lists all users with risky sign-ins, enabling you to address vulnerabilities promptly.

This script generates a report of all users with risky sign-ins.

By keeping track of when and where guest users access your Microsoft 365 resources, you can identify unusual activity, enforce policies, and improve overall compliance. By using the – GuestUserSignInsOnly parameter, you can generate a comprehensive report that details all sign-in activities by guest users.

This script generates a report of sign-in activities for all external users in your Microsoft 365 environment. You can also use the last login time to identify inactive guest users.

Focusing on interactive sign-ins helps you understand user-initiated activities, providing insights into how users engage with your Microsoft Entra ID environment. To export interactive sign-ins, execute the script with – InteractiveOnly switch param.

This script generates a report of interactive sign-ins in Microsoft Entra ID.

Non-interactive sign-ins are sign-ins performed by a client app or an OS component on a user’s behalf. Understanding access patterns allows you to gain insights into how applications and services interact within Azure AD. Run the script with the –NonInteractiveOnly switch parameter.

The generated result produces a report of non-interactive user sign-ins in Azure AD.

Real-time monitoring of successful sign-ins is crucial for swiftly verifying legitimate access and detecting unauthorized activities. Run the script with –Success parameter to list users with successful Entra ID sign-ins.

This script provides a report of successful Entra ID sign-in activities for users.

Note: To track an individual user’s last sign-in time using PowerShell, use the ‘Get-EntraUser’ cmdlet.

Monitoring failed sign-in attempts in your Microsoft 365 environment is crucial for several reasons. It helps analyze recurring patterns that may indicate targeted attacks, promptly diagnose sign-in issues, and detect potential security threats. To get a list of failed Entra ID sign-ins, you can run the script with the –Failure parameter.

This result has a report of unsuccessful Entra ID sign-in attempts for users in Microsoft 365

By identifying sign-in attempts with applied Conditional Access policies, organizations can enforce granular access controls based on user context and device compliance. To retrieve a list of sign-in attempts with applied Conditional Access policies, execute the script with the -CAPAppliedOnly parameter.

The result captures both successful and failed Conditional Access login attempts.

Identifying sign-ins without applied Conditional Access policies allows administrators to review and enforce necessary access controls, reducing the risk of unauthorized access. To retrieve a list of sign-ins without Conditional Access policies, execute the script with the –CAPNotAppliedOnly parameter.

The result shows all sign-ins without Conditional Access enforcement.

If you are particularly looking to monitor all CA policies in your organization, you can utilize this PS script to export Conditional Access policies to Excel.

By monitoring successful policy enforcement during sign-ins, you can verify effective security measures and ensure that access controls function correctly. To export a list of successful sign-ins using CA policies, execute the script with the -CAPSuccessOnly parameter:

This command generates a report listing all successful sign-ins based on Conditional Access policies.

Tracking Conditional Access policy failures during sign-ins addresses vulnerabilities, such as policy misconfigurations or unauthorized access attempts. To export a list of sign-ins which failed due to a CA policy, run the script with the –CAPFailedOnly parameter.

This command identifies sign-ins that failed due to a conditional access policy. There are also methods to find which Conditional Access policy is blocking a user’s sign-in.

Monitoring the sign-in activities of individual users helps detect unauthorized access attempts or suspicious activities associated with a specific user account. To export a specific user’s sign-in history, execute the script with the –UserPrincipalName param.

The exported report contains sign-in activity details of Alex.

If you want to get an Office 365 sign-in report for multiple users, you can pass usernames using the –UserPrincipalName param as comma-separated values.

The exported report contains the sign-in activity details of Alex and Lidia.

While PowerShell offers granular control, it requires some scripting knowledge. However, for those seeking a more straightforward approach, AdminDroid offers a compelling alternative. This free tool combines user-friendly interfaces with robust reporting capabilities, making it ideal for administrators looking to streamline their operations.

Explore AdminDroid’s Free Microsoft 365 reporting tool, boasting over 120 pre-built reports tailored to manage users, groups, licenses, and more. Among its extensive features are 50+ sign-in reports that cover various facets of user activity:

User Logins

• All user logins
• Failed user logins
• Successful user login
• User’s last logon time
• Users’ first logon time of a day
• Users’ monthly login count summary

Security

• Admins logins
• Guest logins
• Risky login attempts
• Failed to pass MFA challenge
• Legacy/Basic authentication login attempts

Office 365 service-based logins

• Outlook login history
• Mailbox PowerShell logins
• Microsoft Teams logins
• External user login activities in MS Teams

Sign-in Types

• Interactive sign-ins
• Non-interactive sign-ins
• All successful MFA sign-ins and more…

In addition, with over 1800 reports and more than 30 dashboards, AdminDroid covers Exchange Online, SharePoint Online, Microsoft Teams, OneDrive for Business, and more. Start your optimized management journey today with AdminDroid. Try our 15-day free trial and experience the difference firsthand!

Download the AdminDroid M365 management tool now and experience the power of simplified administration!

We hope that this blog has provided you with detailed information on tracking M365 users’ sign-in details using PowerShell. If you are looking for further ways to track user sign-ins, you can use methods like scenario monitoring, Entra workbook, etc. Thanks for reading! For further queries, reach out to us in the comments section.

Source