Forum Discussion
user login information
Hello all
I'm trying to understand the difference between azure sign-in logs to query logon activity vs. Microsoft graph? In the azure portal i can only go back 30 days. However if using Microsoft graph i can go back over 1 year. The below query is showing me results for "LastsigninDateTime" and i am seeing dates as far back as 8/4/202. When using Azure AD sign-in logs i can only go back 1 month. Why the difference ?
function queryAADUserLastSignin{
$uri = "https://graph.microsoft.com/beta/users?`$select=Displayname,signInActivity,userPrincipalName,userType,externalUserState,externalUserStateChangeDateTime,creationType,createdDateTime,onPremisesSyncEnabled,accountEnabled,mail"
do{
$results = Invoke-MgGraphRequest -Uri $uri -Method GET -OutputType PSObject
$results.value | select displayname, userPrincipalName,userType,externalUserState,externalUserStateChangeDateTime,creationType,createdDateTime,accountEnabled, `
@{Name="lastSignInDateTime";Expression={$_.signInActivity.lastSignInDateTime}},mail
$uri = $Results.'@odata.nextlink'
}until ($uri -eq $null)
}
queryAADUserLastSignin | export-csv .\guest_export1.csv -NoTypeInformation
Skipster311-1 Azure AD does not provide retention of sign-in logs beyond 30 days. Some information may additionally be stored in the unified audit log though.
To answer your question more specifically. The information in Graph just contains the single timestamp when the last (non-)interactive sign-in happened. This is trivial to store for Microsoft and doesn't require Microsoft to keep all possible sign-in events. What you see in the Sign-In log in Azure AD though, are all events that happened, and as you can probably imagine, this can result in a lot of additional data that would need to be stored. I did some tests with storing sign-in events in an Azure Log Analytics workspace, and this was good for multiple TBs of data over a month, and that's only for one tenant. Imagine if they had to keep these sign-in events for all tenants!
2 Replies
Skipster311-1 Azure AD does not provide retention of sign-in logs beyond 30 days. Some information may additionally be stored in the unified audit log though.
To answer your question more specifically. The information in Graph just contains the single timestamp when the last (non-)interactive sign-in happened. This is trivial to store for Microsoft and doesn't require Microsoft to keep all possible sign-in events. What you see in the Sign-In log in Azure AD though, are all events that happened, and as you can probably imagine, this can result in a lot of additional data that would need to be stored. I did some tests with storing sign-in events in an Azure Log Analytics workspace, and this was good for multiple TBs of data over a month, and that's only for one tenant. Imagine if they had to keep these sign-in events for all tenants!
- Understood. Thank you again
