SOLVED

Using Microsoft Graph for Audit Logs

%3CLINGO-SUB%20id%3D%22lingo-sub-1044468%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Microsoft%20Graph%20for%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1044468%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3E%3CBR%20%2F%3EI%20use%20this%20script%20to%20loop%20over%20signinlogs%2C%20so%20this%20should%20be%20the%20same.%3CBR%20%2F%3Ecould%20you%20test%20with%20this.%20If%20you%20can't%20adapt%20it%20to%20AuditLogs%2C%20feel%20free%20to%20reach%20out!%3CBR%20%2F%3E%3CBR%20%2F%3E%24graphApiVersion%20%3D%20%22v1.0%22%3CBR%20%2F%3E%24User_resource%20%3D%20%22auditLogs%2FsignIns%3Ftop%3D1000%22%3CBR%20%2F%3E%24uri%20%3D%20%22%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2F%24graphApiVersion%2F%24User_resource%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2F%24graphApiVersion%2F%24User_resource%3C%2FA%3E%22%3CBR%20%2F%3E%3CBR%20%2F%3E%24signins%20%3D%20%40()%3CBR%20%2F%3Edo%7B%3CBR%20%2F%3Etry%20%7B%3CBR%20%2F%3EWrite-Log%20%22%5BINFO%5D%20-%20Getting%20all%20sign-in%20logs%20with%20uri%20-%20%24uri%22%3CBR%20%2F%3E%3CBR%20%2F%3E%24data%20%3D%20(Invoke-RestMethod%20-Uri%20%24uri%20-Headers%20%24authToken%20-Method%20Get)%3CBR%20%2F%3E%24signins%20%2B%3D%20%24data.Value%3CBR%20%2F%3E%3CBR%20%2F%3EWrite-Log%20%22%5BINFO%5D%20-%20Got%20all%20sign-in%20logs%20for%20%24user%22%3CBR%20%2F%3E%3CBR%20%2F%3E%24uri%20%3D%20%24data.'%40odata.nextLink'%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%3CBR%20%2F%3Ecatch%20%7B%3CBR%20%2F%3E%24ex%20%3D%20%24_.Exception%3CBR%20%2F%3E%24errorResponse%20%3D%20%24ex.Response.GetResponseStream()%3CBR%20%2F%3E%24reader%20%3D%20New-Object%20System.IO.StreamReader(%24errorResponse)%3CBR%20%2F%3E%24reader.BaseStream.Position%20%3D%200%3CBR%20%2F%3E%24reader.DiscardBufferedData()%3CBR%20%2F%3E%24responseBody%20%3D%20%24reader.ReadToEnd()%3B%3CBR%20%2F%3EWrite-Log%20%22%5BERROR%5D%20-%20Getting%20sign-in%20Logs%20for%20%24user%22%3CBR%20%2F%3EWrite-Log%20%22%5BERROR%5D%20-%20Response%20content%3A%60n%24responseBody%22%20-f%20Red%3CBR%20%2F%3EWrite-Log%20%22%5BERROR%5D%20-%20Request%20to%20%24Uri%20failed%20with%20HTTP%20Status%20%24(%24ex.Response.StatusCode)%20%24(%24ex.Response.StatusDescription)%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3Ewhile(%24uri)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1053269%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Microsoft%20Graph%20for%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1053269%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%20thanks%20for%20responding..%26nbsp%3B%3C%2FP%3E%3CP%3EI%20changed%20my%20loop%20from%20While%20to%20Do...While%20and%20that%20helped%20with%20the%20issue%20with%20paging%20...%20thank%20you.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDue%20to%20the%20volume%20of%20audit%20logs%20and%20the%20time%20is%20takes%20to%20page%20through%20all%20the%20WindowsSignIn%20logs%20for%20200%2B%20users%2C%20I%20decided%20it%20would%20be%20quicker%20if%20I%20loop%20through%20each%20user%20and%20test%20to%20see%20if%20they%20log%20into%20their%20workstation.%20If%20they%20logged%20into%20their%20workstation%20I%20capture%20the%20most%20current%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20You%20Again%2C%3C%2FP%3E%3CP%3E-Larry%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1044380%22%20slang%3D%22en-US%22%3EUsing%20Microsoft%20Graph%20for%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1044380%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20trying%20to%20use%20Microsoft%20Graph%20to%20retrieve%20Windows%20Sign%20In%20logs%20from%20the%20previous%20day%20with%20the%20idea%20of%20creating%20reports%26nbsp%3B%20based%20on%20the%20data.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20I'm%20having%3A%3C%2FP%3E%3CUL%3E%3CLI%3EGetting%20the%20exact%20same%20user%20information%20on%20each%20paging%20(%40odata.nextLink)%20even%20though%20the%20skip%20token%20is%20different%2C%20except%20after%20the%20sixth%20skip%20the%20the%20URL%20within%20the%20odata.nextLink%20is%20repeating.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EAny%20help%20in%20finding%20a%20resolution%20would%20be%20greatly%20appreciative%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ESnapshot%20of%20my%20PowerShell%20script%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%24Uri%20%3D%20%22%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%60%24filter%3DcreatedDateTime%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%60%24filter%3DcreatedDateTime%3C%2FA%3E%20gt%202019-12-02T12%3A00Z%20and%20createdDateTime%20lt%202019-12-02T20%3A01Z%20and%20appDisplayName%20eq%20'Windows%20Sign%20In'%20and%20deviceDetail%2FoperatingSystem%20eq%20'Windows'%26amp%3Borderby%3DcreatedDateTime%20desc%22%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%23%24Uri%20%3D%20%22%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%60%3F%24filter%3DappDisplayName%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%60%3F%24filter%3DappDisplayName%3C%2FA%3E%20eq%20'Windows%20Sign%20In'%20AND%20deviceDetail%2FoperatingSystem%20eq%20'Windows'%26amp%3Borderby%3DcreatedDateTime%20desc%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23%20Fetch%20all%20Signin%20Logs%3CBR%20%2F%3E%24AuditLogRequest%20%3D%20Invoke-RestMethod%20-Uri%20%24Uri%20-Headers%20%24Header%20-Method%20Get%20-ContentType%20%22application%2Fjson%22%3C%2FP%3E%3CP%3E%24AuditlogNextLink%20%3D%20%24AuditLogRequest.%22%40odata.nextLink%22%3C%2FP%3E%3CP%3E%3CBR%20%2F%3Ewhile(%24AuditlogNextLink%20-ne%20%24null)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%24Header%20%3D%20%40%7BAuthorization%20%3D%20%22%24(%24Request.token_type)%20%24(%24Request.access_token)%22%7D%3CBR%20%2F%3E%24AuditLogRequest%20%3D%20(Invoke-RestMethod%20-Uri%20%24AuditlogNextLink%20%E2%80%93Headers%20%24Header%20%E2%80%93Method%20Get%20-ContentType%20%22application%2Fjson%22)%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%24AuditlogNextLink%20%3D%20%24AuditLogRequest.'%40odata.nextLink'%3CBR%20%2F%3E%24AuditlogNextLink%20%26gt%3B%26gt%3B%20%22D%3A%5CAzureADSignInError%5CnextLink.txt%22%3CBR%20%2F%3E%24AuditLogs%20%2B%3D%20%24AuditLogRequest.value%3C%2FP%3E%3CP%3E%24LoginArray%20%3D%20New-Object%20System.Collections.Generic.List%5BSystem.Object%5D%3CBR%20%2F%3EForeach(%24AuditLog%20in%20%24AuditLogs)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%24DisplayName%20%3D%20%24AuditLog.userDisplayName%3CBR%20%2F%3E%24EmailAddress%20%3D%20%24AuditLog.userPrincipalName%3CBR%20%2F%3E%24UserObjectID%20%3D%20%24AuditLog.userID%3CBR%20%2F%3E%24AppDisplayName%20%3D%20%24AuditLog.appDisplayName%3CBR%20%2F%3E%24CreatedDate%20%3D%20%24AuditLog.createdDateTime%3C%2FP%3E%3CP%3E%24DetailInfo%20%3D%20%24AuditLog.deviceDetail%3CBR%20%2F%3E%24DeviceName%20%3D%20%24DetailInfo.displayname%3CBR%20%2F%3E%24DeviceID%20%3D%20%24DetailInfo.deviceId%3CBR%20%2F%3E%24DeviceOS%20%3D%20%24DetailInfo.operatingSystem%3CBR%20%2F%3E%24DeviceTrustType%20%3D%20%24DetailInfo.trustType%3C%2FP%3E%3CP%3E%24StatusInfo%20%3D%20%24AuditLog.status%3CBR%20%2F%3E%24FailureReason%20%3D%20%24StatusInfo.failureReason%3CBR%20%2F%3E%24ErrorCode%20%3D%20%24StatusInfo.errorCode%3CBR%20%2F%3E%24AdditonalDetail%20%3D%20%24StatusInfo.additionalDetails%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EIf(%24AppDisplayName%20-eq%20%22Windows%20Sign%20In%22)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%5Bint%5D%24Counter%2B%2B%3CBR%20%2F%3E%24AddDateTime%20%3D%20Get-date%20-UFormat%20%24c%3CBR%20%2F%3EIf(%24ErrorCode%20-eq%20%220%22)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%24ArrayData%20%3D%20%24DisplayName%20%2B%20%22%7C%22%20%2B%20%24EmailAddress%20%2B%20%22%7C%22%20%2B%20%24AppDisplayName%20%2B%20%22%7C%22%20%2B%20%24DeviceOS%20%2B%20%22%7C%22%20%2B%20%24DeviceTrustType%20%2B%20%22%7C%22%20%2B%20%24CreatedDate%20%2B%20%22%7C%22%20%2B%20%24AddDateTime%3CBR%20%2F%3E%24Data%20%3D%20%22%24UserObjectID-%24DeviceID%22%3CBR%20%2F%3E%24AddToLog%20%3D%20%24LoginArray.Contains(%22%24Data%22)%3C%2FP%3E%3CP%3EWrite-host%20%24AddToLog%20%22..........................%20%24Data%20...............................................................................................%22%20-ForegroundColor%20DarkGray%3CBR%20%2F%3EWrite-host%20%24DisplayName%20%22%20...%20%22%20%24AppDisplayName%20%22%7C%22%24DeviceOS%20%22%7C%22%20%24DeviceTrustType%20%22%7C%22%20%24DeviceName%20%22%7C%22%20%24ErrorCode%20%22%7C%22%20%24FailureReason%20%22%7C%22%20%24CreatedDate%20%22%7C%22%20%24AddDateTime%20%22%7C%22%20%24Counter%20-ForegroundColor%20Green%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EIf(%24AddToLog%20-eq%20%24False)%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%23%24LoginArray%20%2B%3D%20%24Data%3CBR%20%2F%3E%24LoginArray.Add(%24Data)%3CBR%20%2F%3EWrite-host%20%24Data%20-ForegroundColor%20Magenta%3CBR%20%2F%3E%3CBR%20%2F%3E%24ExportData%20%3D%20%24DisplayName%20%2B%20%22%7C%22%20%2B%20%24EmailAddress%20%2B%20%22%7C%22%20%2B%20%24UserObjectID%20%2B%20%22%7C%22%20%2B%20%24AppDisplayName%20%2B%20%22%7C%22%20%2B%20%24DeviceOS%20%2B%20%22%7C%22%20%2B%20%24DeviceTrustType%20%2B%20%22%7C%22%20%2B%20%24DeviceName%20%2B%20%22%7C%22%20%2B%20%24DeviceID%20%2B%20%22%7C%22%20%2B%20%24CreatedDate%20%2B%20%22%7C%22%20%2B%20%24AddDateTime%3CBR%20%2F%3EOut-File%20-FilePath%20%24LogFile%20-InputObject%20%24ExportData%20-Encoding%20UTF8%20-append%3C%2FP%3E%3CP%3E%24Data%20%3D%20%24Null%3CBR%20%2F%3E%24AddToLog%20%3D%20%24Null%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3EElseIf(%24ErrorCode%20-eq%20%2250155%22)%2350155%20-%20Device%20authentication%20failed%20for%20this%20user%2050057%20-%20device%20failed%20authentication%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%5Bint%5D%24Counter%2B%2B%3CBR%20%2F%3E%24errorreport%20%3D%20%22%24DeviceID%20...%20%24ErrorCode%20....%20%24FailureReason%22%3CBR%20%2F%3EWrite-host%20%24errorreport%20%22................................................................................Count%3A%20%22%20%24Counter%20-ForegroundColor%20Cyan%3CBR%20%2F%3E%24errorreport%20%26gt%3B%26gt%3B%20%22D%3A%5CAzureADSignInError%5CAzureSignInErrors.txt%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3EElseIf(%24ErrorCode%20-eq%20%2250057%22)%23User%20account%20is%20disabled.%20The%20account%20has%20been%20disabled%20by%20an%20administrator.%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%5Bint%5D%24Counter%2B%2B%3CBR%20%2F%3E%24errorreport%20%3D%20%22%24EmailAddress%20...%20%24ErrorCode%20....%20%24FailureReason%22%3CBR%20%2F%3EWrite-host%20%24errorreport%20%22................................................................................Count%3A%20%22%20%24Counter%20-ForegroundColor%20Cyan%3CBR%20%2F%3E%24errorreport%20%26gt%3B%26gt%3B%20%22D%3A%5CAzureADSignInError%5CAzureSignInErrors.txt%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3EElse%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%5Bint%5D%24Counterr%2B%2B%3CBR%20%2F%3E%24errorreport%20%3D%20%22%24EmailAddress%20...%20%24DeviceName%20...%20%24ErrorCode%20....%20%24FailureReason%22%3CBR%20%2F%3EWrite-host%20%24errorreport%20%22................................................................................Count%3A%20%22%20%24Counter%20-ForegroundColor%20Cyan%3CBR%20%2F%3E%24errorreport%20%26gt%3B%26gt%3B%20%22D%5CAzureADSignInError%3A%5CAzureSignInErrors.txt%22%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%7D%23%20End%20Windows%20SignIn%20If%20statment%3CBR%20%2F%3E%7D%23End%20of%20Foreach%20Loop%3C%2FP%3E%3CP%3E%7D%20%23%20End%20of%20While%20Loop%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EThe%26nbsp%3B%40data.nextlink%20Screenshots%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D0000000000000000000000000009d3e_2000%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D0000000000000000000000000009d3e_2000%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D00000000000000000000000000039375_3000%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D00000000000000000000000000039375_3000%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D000000000000000000000000000f400_4000%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D000000000000000000000000000f400_4000%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D000000000000000000000000000e5b2c_5000%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D000000000000000000000000000e5b2c_5000%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D0000000000000000000000000006b78_6000%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D0000000000000000000000000006b78_6000%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D0000000000000000000000000000000_7000%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D0000000000000000000000000000000_7000%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D000000000000000000000000000b84b_8000%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D000000000000000000000000000b84b_8000%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D00000000000000000000000000006d7_8000%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D00000000000000000000000000006d7_8000%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D00000000000000000000000000006d7_8000%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D00000000000000000000000000006d7_8000%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D00000000000000000000000000006d7_8000%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D00000000000000000000000000006d7_8000%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D00000000000000000000000000006d7_8000%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FauditLogs%2FsignIns%3F%24filter%3DcreatedDateTime%2Bgt%2B2019-12-02T12%253a00Z%2Band%2BcreatedDateTime%2Blt%2B2019-12-02T20%253a01Z%2Band%2BappDisplayName%2Beq%2B%2527Windows%2BSign%2BIn%2527%2Band%2BdeviceDetail%252foperatingSystem%2Beq%2B%2527Windows%2527%26amp%3Borderby%3DcreatedDateTime%2Bdesc%26amp%3B%24skiptoken%3D00000000000000000000000000006d7_8000%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1044380%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Graph%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2086668%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Microsoft%20Graph%20for%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2086668%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F103153%22%20target%3D%22_blank%22%3E%40Larry%20Jones%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHey%20Larry%20-%20I%20have%20a%20similar%20requirement%20to%20fetch%20the%20Windows%20Sign%20in%20Logs%20for%20all%20the%20users%20in%20Last%2030days.%20Can%20you%20please%20share%20the%20script%20which%20worked%20for%20you%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

I'm trying to use Microsoft Graph to retrieve Windows Sign In logs from the previous day with the idea of creating reports  based on the data.

 

The issue I'm having:

  • Getting the exact same user information on each paging (@odata.nextLink) even though the skip token is different, except after the sixth skip the the URL within the odata.nextLink is repeating.

Any help in finding a resolution would be greatly appreciative 

 

 

Snapshot of my PowerShell script:

$Uri = "https://graph.microsoft.com/v1.0/auditLogs/signIns?`$filter=createdDateTime gt 2019-12-02T12:00Z and createdDateTime lt 2019-12-02T20:01Z and appDisplayName eq 'Windows Sign In' and deviceDetail/operatingSystem eq 'Windows'&orderby=createdDateTime desc"


#$Uri = "https://graph.microsoft.com/v1.0/auditLogs/signIns`?$filter=appDisplayName eq 'Windows Sign In' AND deviceDetail/operatingSystem eq 'Windows'&orderby=createdDateTime desc"

 

# Fetch all Signin Logs
$AuditLogRequest = Invoke-RestMethod -Uri $Uri -Headers $Header -Method Get -ContentType "application/json"

$AuditlogNextLink = $AuditLogRequest."@odata.nextLink"


while($AuditlogNextLink -ne $null)
{
$Header = @{Authorization = "$($Request.token_type) $($Request.access_token)"}
$AuditLogRequest = (Invoke-RestMethod -Uri $AuditlogNextLink –Headers $Header –Method Get -ContentType "application/json")


$AuditlogNextLink = $AuditLogRequest.'@odata.nextLink'
$AuditlogNextLink >> "D:\AzureADSignInError\nextLink.txt"
$AuditLogs += $AuditLogRequest.value

$LoginArray = New-Object System.Collections.Generic.List[System.Object]
Foreach($AuditLog in $AuditLogs)
{
$DisplayName = $AuditLog.userDisplayName
$EmailAddress = $AuditLog.userPrincipalName
$UserObjectID = $AuditLog.userID
$AppDisplayName = $AuditLog.appDisplayName
$CreatedDate = $AuditLog.createdDateTime

$DetailInfo = $AuditLog.deviceDetail
$DeviceName = $DetailInfo.displayname
$DeviceID = $DetailInfo.deviceId
$DeviceOS = $DetailInfo.operatingSystem
$DeviceTrustType = $DetailInfo.trustType

$StatusInfo = $AuditLog.status
$FailureReason = $StatusInfo.failureReason
$ErrorCode = $StatusInfo.errorCode
$AdditonalDetail = $StatusInfo.additionalDetails


If($AppDisplayName -eq "Windows Sign In")
{
[int]$Counter++
$AddDateTime = Get-date -UFormat $c
If($ErrorCode -eq "0")
{
$ArrayData = $DisplayName + "|" + $EmailAddress + "|" + $AppDisplayName + "|" + $DeviceOS + "|" + $DeviceTrustType + "|" + $CreatedDate + "|" + $AddDateTime
$Data = "$UserObjectID-$DeviceID"
$AddToLog = $LoginArray.Contains("$Data")

Write-host $AddToLog ".......................... $Data ..............................................................................................." -ForegroundColor DarkGray
Write-host $DisplayName " ... " $AppDisplayName "|"$DeviceOS "|" $DeviceTrustType "|" $DeviceName "|" $ErrorCode "|" $FailureReason "|" $CreatedDate "|" $AddDateTime "|" $Counter -ForegroundColor Green


If($AddToLog -eq $False)
{
#$LoginArray += $Data
$LoginArray.Add($Data)
Write-host $Data -ForegroundColor Magenta

$ExportData = $DisplayName + "|" + $EmailAddress + "|" + $UserObjectID + "|" + $AppDisplayName + "|" + $DeviceOS + "|" + $DeviceTrustType + "|" + $DeviceName + "|" + $DeviceID + "|" + $CreatedDate + "|" + $AddDateTime
Out-File -FilePath $LogFile -InputObject $ExportData -Encoding UTF8 -append

$Data = $Null
$AddToLog = $Null
}
}
ElseIf($ErrorCode -eq "50155")#50155 - Device authentication failed for this user 50057 - device failed authentication
{
[int]$Counter++
$errorreport = "$DeviceID ... $ErrorCode .... $FailureReason"
Write-host $errorreport "................................................................................Count: " $Counter -ForegroundColor Cyan
$errorreport >> "D:\AzureADSignInError\AzureSignInErrors.txt"
}
ElseIf($ErrorCode -eq "50057")#User account is disabled. The account has been disabled by an administrator.
{
[int]$Counter++
$errorreport = "$EmailAddress ... $ErrorCode .... $FailureReason"
Write-host $errorreport "................................................................................Count: " $Counter -ForegroundColor Cyan
$errorreport >> "D:\AzureADSignInError\AzureSignInErrors.txt"
}
Else
{
[int]$Counterr++
$errorreport = "$EmailAddress ... $DeviceName ... $ErrorCode .... $FailureReason"
Write-host $errorreport "................................................................................Count: " $Counter -ForegroundColor Cyan
$errorreport >> "D\AzureADSignInError:\AzureSignInErrors.txt"
}

}# End Windows SignIn If statment
}#End of Foreach Loop

} # End of While Loop

 

 

 

The @data.nextlink Screenshots

 

https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime+gt+2019-12-02T12%3a00Z+an...


https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime+gt+2019-12-02T12%3a00Z+an...


https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime+gt+2019-12-02T12%3a00Z+an...


https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime+gt+2019-12-02T12%3a00Z+an...


https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime+gt+2019-12-02T12%3a00Z+an...


https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime+gt+2019-12-02T12%3a00Z+an...


https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime+gt+2019-12-02T12%3a00Z+an...


https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime+gt+2019-12-02T12%3a00Z+an...


https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime+gt+2019-12-02T12%3a00Z+an...


https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime+gt+2019-12-02T12%3a00Z+an...


https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime+gt+2019-12-02T12%3a00Z+an...

 

3 Replies
best response confirmed by Larry Jones (Frequent Contributor)
Solution
Hi

I use this script to loop over signinlogs, so this should be the same.
could you test with this. If you can't adapt it to AuditLogs, feel free to reach out!

$graphApiVersion = "v1.0"
$User_resource = "auditLogs/signIns?top=1000"
$uri = "https://graph.microsoft.com/$graphApiVersion/$User_resource"

$signins = @()
do{
try {
Write-Log "[INFO] - Getting all sign-in logs with uri - $uri"

$data = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get)
$signins += $data.Value

Write-Log "[INFO] - Got all sign-in logs for $user"

$uri = $data.'@odata.nextLink'
}

catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Log "[ERROR] - Getting sign-in Logs for $user"
Write-Log "[ERROR] - Response content:`n$responseBody" -f Red
Write-Log "[ERROR] - Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
}
}
while($uri)

@Thijs Lecomte  thanks for responding.. 

I changed my loop from While to Do...While and that helped with the issue with paging ... thank you.

 

Due to the volume of audit logs and the time is takes to page through all the WindowsSignIn logs for 200+ users, I decided it would be quicker if I loop through each user and test to see if they log into their workstation. If they logged into their workstation I capture the most current information.

 

Thank You Again,

-Larry

 

 

@Larry Jones 

Hey Larry - I have a similar requirement to fetch the Windows Sign in Logs for all the users in Last 30days. Can you please share the script which worked for you ?