Home

Identifying all users who authenticate using Basic Auth via PowerShell?

%3CLINGO-SUB%20id%3D%22lingo-sub-321573%22%20slang%3D%22en-US%22%3EIdentifying%20all%20users%20who%20authenticate%20using%20Basic%20Auth%20via%20PowerShell%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-321573%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20possible%20to%20run%20a%20PS%20script%20of%20some%20sort%20which%20would%20identify%20all%20users%20who%20are%20connecting%20to%20O365%20services%20(Exchange)%20using%20basic%20auth.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20we%20run%20the%20report%20via%20the%20GUI%20in%20Azure%20AD%20Sign-In's%20blade%20and%20filter%20by%20'Client%20App'%20-%20this%20gives%20u%20the%20info%20we%20need%20but%20the%20export%20is%20limited%20to%205000%20events.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20extract%20this%20info%20to%20a%20CSV%20via%20PowerShell%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-321573%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-321663%22%20slang%3D%22en-US%22%3ERe%3A%20Identifying%20all%20users%20who%20authenticate%20using%20Basic%20Auth%20via%20PowerShell%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-321663%22%20slang%3D%22en-US%22%3E%3CP%3EUse%20the%20Azure%20AD%20blade%20or%20the%20Graph%20API.%20The%20%22Script%22%20button%20next%20to%20the%20%22Download%22%20one%20gives%20you%20a%20ready-to-use%20PowerShell%20script%20that%20queries%20the%20Graph%20API%20and%20fetches%20all%20the%20results%2C%20so%20you%20don't%20have%20to%20write%20your%20own.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20want%20to%20use%20%22standard%22%20PowerShell%2C%20your%20best%20bet%20is%20the%20Unified%20Audit%20Log%20in%20the%20SCC%2C%20which%20unfortunately%20has%20been%20plagued%20with%20issues%20lately.%20Still%2C%20you%20can%20try%20getting%20the%20results%20via%20the%20Search-UnifiedAuditLog%3C%2FP%3E%0A%3CP%3Ecmdlet%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fpolicy-and-compliance-audit%2Fsearch-unifiedauditlog%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fpolicy-and-compliance-audit%2Fsearch-unifiedauditlog%3Fview%3Dexchange-ps%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-547588%22%20slang%3D%22en-US%22%3ERe%3A%20Identifying%20all%20users%20who%20authenticate%20using%20Basic%20Auth%20via%20PowerShell%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-547588%22%20slang%3D%22en-US%22%3EHi%20Steve%3CBR%20%2F%3E%3CBR%20%2F%3EI%20just%20tried%20your%20approach%20(GUI%20-%20Sign%20Ins%20blade%2C%20filter%20on%20Client%20app%20for%20last%201%20month)%20and%20when%20downloading%20the%20results%20to%20a%20CSV%20it%20obtains%20the%20first%20250%2C000%20records%20so%20maybe%20the%20limits%20have%20change%20between%20January%20and%20now.%3C%2FLINGO-BODY%3E
steve_elliott
Occasional Contributor

Is it possible to run a PS script of some sort which would identify all users who are connecting to O365 services (Exchange) using basic auth.

 

When we run the report via the GUI in Azure AD Sign-In's blade and filter by 'Client App' - this gives u the info we need but the export is limited to 5000 events.

 

Is there a way to extract this info to a CSV via PowerShell?

2 Replies

Use the Azure AD blade or the Graph API. The "Script" button next to the "Download" one gives you a ready-to-use PowerShell script that queries the Graph API and fetches all the results, so you don't have to write your own.

 

If you want to use "standard" PowerShell, your best bet is the Unified Audit Log in the SCC, which unfortunately has been plagued with issues lately. Still, you can try getting the results via the Search-UnifiedAuditLog

cmdlet: https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-audit/search-unifi...

 

Hi Steve

I just tried your approach (GUI - Sign Ins blade, filter on Client app for last 1 month) and when downloading the results to a CSV it obtains the first 250,000 records so maybe the limits have change between January and now.
Related Conversations
yammer "download data" function
omochidayo in Yammer on
5 Replies
Total users on Skype for business
Chrizzly in Skype for Business IT Pro on
6 Replies
RDS Collections Not Showing
Tim Hunter in Windows Server for IT Pro on
4 Replies
SharePoint Groups: Help Me Understand
smithme in SharePoint Developer on
2 Replies
Power Query Merge Causing Dropped Rows
IlyaVee in Excel on
1 Replies