Script repository
The script generates a report containing the Microsoft Entra login dates for the selected user. Login dates are output for the selected period. To execute the script, create a report with the corresponding parameters and custom columns. The report should have no scope.
Parameters
$userParamName- the name of the parameter for selecting a user whose login dates will be present in the report. The parameter name should be specified with the param- prefix.$daysParamName- the name of the parameter used to select the time period (in days) to output login dates for. The parameter name should be specified with the param- prefix.$dateColumnID- the identifier of the custom column that will store user login dates. To get the identifier:- In the Report-specific columns section, on the Columns tab, right-click the custom column.
- In the context menu, navigate to Copy and click Column ID.
- The column identifier will be copied to clipboard.
$applicationColumnID- the identifier of the custom column that will store the target applications.$statusColumnID- the identifier of the custom column that will store the login statuses.$ipAddressColumnID- the identifier of the custom column that will store IP adresses of the devices used to log in.$conditionalAccessColumnID- the identifier of the custom column that will store the applied conditional access rules.$authRequirementColumnID- the identifier of the custom column that will store login authentication requirements.
# Parameter names.
$userParamName = "param-User" # TODO: modify me
$daysParamName = "param-Days" # TODO: modify me
# Custom column IDs.
$dateColumnID = "{63cd8553-824a-40ef-8e30-db2a21b3899f}" # TODO: modify me
$applicationColumnID = "{e2265c7b-d7da-4268-9399-58f64b54c2a4}" # TODO: modify me
$statusColumnID = "{f5926329-eace-4d55-a804-1ae1a8155689}" # TODO: modify me
$ipAddressColumnID = "{e043437c-4d10-4c6c-8bd5-f61dc58a87f5}" # TODO: modify me
$conditionalAccessColumnID = "{1e706407-d45f-489a-af08-59e9bdb1ebac}" # TODO: modify me
$authRequirementColumnID = "{6717800c-b627-4ebd-b29e-d0bb66f4b254}" # TODO: modify me
# Get parameter values.
$days = $Context.GetParameterValue($daysParamName)
$userDN = $Context.GetParameterValue($userParamName)
# Bind to the user.
$user = $Context.BindToObject("Adaxes://$userDN")
# Check Microsoft Entra identifier.
if ($NULL -eq $user.AzureId)
{
$Context.LogMessage("The user doesn't have a Microsoft 365 account.", "Warning")
return
}
# Build filter.
$date = $((Get-Date).AddDays(-$days)).ToString("yyyy-MM-dd")
$filter = "UserID eq '" + $user.AzureId + "' and createdDateTime gt " + $date
# Get authentication token.
$authToken = $Context.CloudServices.GetAzureAuthAccessToken($user)
# Retrieve data
$url = 'https://graph.microsoft.com/beta/auditLogs/signIns?$filter=' + $filter
$response = Invoke-RestMethod -Method GET `
-uri $url `
-Headers @{Authorization="Bearer $authToken"}
if ($NULL -eq $response.value)
{
return
}
# Generate report.
foreach ($log in $response.value)
{
$columnValues = @{ }
$columnValues.Add($dateColumnID, $log.CreatedDateTime)
$columnValues.Add($applicationColumnID, $log.AppDisplayName)
if ($log.Status.ErrorCode -eq 0)
{
$status = "Success"
}
else
{
$status = "Failure reason: " + $log.Status.FailureReason
}
$columnValues.Add($statusColumnID, $status)
$columnValues.Add($ipAddressColumnID, $log.IpAddress)
$columnValues.Add($conditionalAccessColumnID, $log.ConditionalAccessStatus)
if ($log.AuthenticationRequirement -eq "multiFactorAuthentication")
{
$authRequirement = "Multi-factor authentication"
}
elseif ($log.AuthenticationRequirement -eq "singleFactorAuthentication")
{
$authRequirement = "Single-factor authentication"
}
else
{
$authRequirement = $log.AuthenticationRequirement
}
$columnValues.Add($authRequirementColumnID, $authRequirement)
$Context.Items.Add($user, $columnValues)
}
Comments 0
You must be signed in to comment.