cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

user login information

Skipster311-1
Iron Contributor

‎Aug 26 2021 10:01 AM

‎Aug 26 2021 10:01 AM

user login information

Hello all

 

I'm trying to understand the difference between azure sign-in logs to query logon activity vs. Microsoft graph? In the azure portal i can only go back 30 days. However if using Microsoft graph i can go back over 1 year. The below query is showing me results for "LastsigninDateTime" and i am seeing dates as far back as 8/4/202. When using Azure AD sign-in logs i can only go back 1 month. Why the difference ?

 

function queryAADUserLastSignin{
$uri = "https://graph.microsoft.com/beta/users?`$select=Displayname,signInActivity,userPrincipalName,userType,externalUserState,externalUserStateChangeDateTime,creationType,createdDateTime,onPremisesSyncEnabled,accountEnabled,mail"
do{
$results = Invoke-MgGraphRequest -Uri $uri -Method GET -OutputType PSObject
$results.value | select displayname, userPrincipalName,userType,externalUserState,externalUserStateChangeDateTime,creationType,createdDateTime,accountEnabled, `
@{Name="lastSignInDateTime";Expression={$_.signInActivity.lastSignInDateTime}},mail
$uri = $Results.'@odata.nextlink'
}until ($uri -eq $null)
}

queryAADUserLastSignin | export-csv .\guest_export1.csv -NoTypeInformation

Labels:
973 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Skipster311-1 (Iron Contributor)
pvanberlo

‎Aug 26 2021 10:13 AM

‎Aug 26 2021 10:13 AM

Solution

Re: user login information

@Skipster311-1 Azure AD does not provide retention of sign-in logs beyond 30 days. Some information may additionally be stored in the unified audit log though.

 

To answer your question more specifically. The information in Graph just contains the single timestamp when the last (non-)interactive sign-in happened. This is trivial to store for Microsoft and doesn't require Microsoft to keep all possible sign-in events. What you see in the Sign-In log in Azure AD though, are all events that happened, and as you can probably imagine, this can result in a lot of additional data that would need to be stored. I did some tests with storing sign-in events in an Azure Log Analytics workspace, and this was good for multiple TBs of data over a month, and that's only for one tenant. Imagine if they had to keep these sign-in events for all tenants!

0 Likes
Reply
Skipster311-1

‎Aug 26 2021 12:29 PM

‎Aug 26 2021 12:29 PM

Re: user login information

Understood. Thank you again
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Skipster311-1 (Iron Contributor)
pvanberlo

‎Aug 26 2021 10:13 AM

‎Aug 26 2021 10:13 AM

Solution

Re: user login information

@Skipster311-1 Azure AD does not provide retention of sign-in logs beyond 30 days. Some information may additionally be stored in the unified audit log though.

 

To answer your question more specifically. The information in Graph just contains the single timestamp when the last (non-)interactive sign-in happened. This is trivial to store for Microsoft and doesn't require Microsoft to keep all possible sign-in events. What you see in the Sign-In log in Azure AD though, are all events that happened, and as you can probably imagine, this can result in a lot of additional data that would need to be stored. I did some tests with storing sign-in events in an Azure Log Analytics workspace, and this was good for multiple TBs of data over a month, and that's only for one tenant. Imagine if they had to keep these sign-in events for all tenants!

View solution in original post

0 Likes
Reply