Graph API – Search AuditLogs\SignIns for users to see who has used MFA within 30 Days


Scenario: You want to query the Azure AD SignIn Logs to see who has used MFA within the last 30 days via Graph and PowerShell. You have the Userprincipalnames in a CSV already.

Scriptlet:
Notes:
1. It performs a get-accesstoken function which can be found and loaded from this blog: Get an Access Token for Graph API via PowerShell – Ex-Shell


   #Declare global variables
   $i = import-csv "C:\temp\userprincipalnames.csv"  #With Userprincipalname as the column header 
   $start = get-date((get-date).adddays(-30)) -Format "yyyy-MM-dd"

   #Loop it
    $i.userprincipalname | Sort | %{
        #Declare UPN
        $n = $_
        "Checking $N"

         #Build the URI   
         $appuri = "https://graph.microsoft.com/v1.0/auditlogs/signIns?$('$filter')=(userprincipalname eq '$n') and (createdDateTime ge $start)"
         $appuri = ([System.Uri]$appuri).AbsoluteUri

        #Get the token and create the RestSplat
        $header = get-accesstoken 
        $results = @()
        $RestSplat = @{ 
            URI         = $appuri
            Headers     = $header
            Method      = 'GET' 
            ContentType = "application/json" 
            } 

        #Invoke the Rest URI
        $Tempresults =  Invoke-RestMethod @RestSplat


        #Play with results
            #MFA check    
            $Tempresults.value.appliedConditionalAccessPolicies | Where {($_.result -eq "Success") -and ($_.enforcedGrantControls -like "*MFA*")}

            #Signin at all?
           $Tempresults.value

    }


Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: