Identifying all users who authenticate using Basic Auth via PowerShell?

Occasional Contributor

Is it possible to run a PS script of some sort which would identify all users who are connecting to O365 services (Exchange) using basic auth.

 

When we run the report via the GUI in Azure AD Sign-In's blade and filter by 'Client App' - this gives u the info we need but the export is limited to 5000 events.

 

Is there a way to extract this info to a CSV via PowerShell?

3 Replies

Use the Azure AD blade or the Graph API. The "Script" button next to the "Download" one gives you a ready-to-use PowerShell script that queries the Graph API and fetches all the results, so you don't have to write your own.

 

If you want to use "standard" PowerShell, your best bet is the Unified Audit Log in the SCC, which unfortunately has been plagued with issues lately. Still, you can try getting the results via the Search-UnifiedAuditLog

cmdlet: https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-audit/search-unifi...

 

Hi Steve

I just tried your approach (GUI - Sign Ins blade, filter on Client app for last 1 month) and when downloading the results to a CSV it obtains the first 250,000 records so maybe the limits have change between January and now.

@steve_elliott Why go to PowerShell, when you can generate in UI itself?! It's now easy as child play to find users who still use basic authentication.

Perks of this report:

1. This report gives a detailed analysis of users who are still using what kind of basic authentication protocol.

2. Secondly, these reports can be exported in multiple formats. Like, HTML, PDF, CSV, XLS, XLSX and RAW.

3. Not only download these basic authentication reports, but you can also set alerts and schedule these reports for getting notified instantly.

 

So, you don't have to look further anyways!