Forum Discussion

AK-47-b's avatar
AK-47-b
Copper Contributor
Apr 07, 2022

Filter issue

Hi all, I can't work out why this filter errors.

 

$LastLogin = Get-AzureADAuditSignInLogs -All $true -Top 1 -Filter "userDisplayName eq '$UserDisplayName'" -ErrorAction SilentlyContinue | Select createdDateTime 

 

If I check that the variable is correctly populated, it is.

If I manually add the userDisplayName that I extract from the variable it works.

The error is claiming it's a filter issue.

 

Get-AzureADAuditSignInLogs : Error occurred while executing GetAuditSignInLogs 
Code: BadRequest
Message: Invalid filter clause
InnerError:
  RequestId: 2e875adc-cd60-4323-bcac-b224ee74419a
  DateTimeStamp: Thu, 07 Apr 2022 02:09:10 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At C:\Users\xxx\AAD_UserAudit.ps1:12 char:18
+ ... LastLogin = Get-AzureADAuditSignInLogs -All $true -Top 1 -Filter "use ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-AzureADAuditSignInLogs], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.GetAuditSignInLogs 

 

 

I would appreciate any ideas you might have to sort this one out.

  • AK-47-b's avatar
    AK-47-b
    Apr 07, 2022
    Thanks for taking an interest. As it turns out, after many hours of research, I am facing two distinct issues. The first, on the filter error appears to be a known and old bug in AzureAD Preview module. The second is due to Graph API limits. So I'll be editing the script to be less aggressive and slow down the call rate, and hope that at the slower rate it allows the filters to be parsed correctly.
    Thanks for taking an interest in helping.
  • Works fine here, make sure you're correctly setting up the variable:

    $userDisplayName = "Gosho"
    Get-AzureADAuditSignInLogs -Top 1 -Filter "userDisplayName eq '$UserDisplayName'"

    Id : 4fc672fd-79e4-4e70-a397-d6aafbe9a800
    CreatedDateTime : 2022-03-24T15:52:08Z
    UserDisplayName : Gosho
    UserPrincipalName : Email address removed
    UserId : 064abb3c-0812-44f9-bdcc-eea7e6ea398b

    Also, you cannot use both the -All and -Top switches.
    • AK-47-b's avatar
      AK-47-b
      Copper Contributor

      VasilMichev 

      Thanks for testing and confirming. That's the odd thing, I'm 99.99% certain there's nothing wrong here.

      The top of the script is as so:

      $DataArray = @()
      $ADUsers = Get-AzureADUser -All:$true
      foreach($User in $ADUsers)
      {
          $Creation = Get-AzureADUserExtension -ObjectId $User.UserPrincipalName
          $UserUPN = $User.UserPrincipalName
          $UserDisplayName = $User.DisplayName
          $LastLogin = Get-AzureADAuditSignInLogs $true -Top 1 -Filter "userDisplayName eq '$UserDisplayName'" -ErrorAction SilentlyContinue | Select createdDateTime
      
      ....

      Of course there's more to it but you can seen from the example how the variables are being populated. See anything there that pops out?

       

      I remove the -All switch from it as well. Good catch, thanks.

      • Perhaps you have some fancy display name in there? Make sure you escape any characters such as ' (for all the O'Briens and such). Or filter by GUID 🙂