Jan 23 2024 10:59 PM - edited Jan 24 2024 02:19 AM
Assuming I have an authorization token for a valid Entra/AAD user, and my back-end service has the necessary permissions to query all of Entra/AAD (including AuditLogs), how can I find the AuditLogs.SignIns entry or even just the DeviceDetail that matches the token? Pulling apart the JWT and looking at the all the data available in the SignIns/devices data that comes back from Microsoft Graph I can't see anything obvious that matches, though there are things like `
Jan 24 2024 12:09 AM
Jan 24 2024 02:18 AM - edited Jan 24 2024 02:43 AM
Hmm, interesting, none of that's in the token I have (it's actually a token acquired by a Sharepoint online webpart, but it's just a request to login.microsoftonline.com/.../oauth2/v2.0/authorize which sends back a page that redirects to https://<tenant>.sharepoint.com/_forms/spfxsinglesignon.aspx#access_token=<token>). This is all it has:
"iss": "https://sts.windows.net/c1fd1e38-<tenant-id>/",
"iat": 1706077938,
"nbf": 1706077938,
"exp": 1706083137,
"acr": "1",
"aio": "ATQAy/...",
"amr": [
"pwd"
],
"appid": "d382a6b7-<not-sure?>",
"appidacr": "0",
"family_name": "User",
"given_name": "Test",
"ipaddr": "48.xxx.yy.zzz",
"name": "Test User",
"oid": "e7af4b9b-...",
"rh": "0.AUIAOB79wc_...",
"scp": "custom-scope",
"sub": "acbBL4VK....",
"tid": "c1fd1e38-<tenant-id>",
"unique_name": "email address removed for privacy reasons",
"upn": "email address removed for privacy reasons",
"uti": "FLnAb1y...",
"ver": "1.0"
}