Get-MgBetaAuditLogSignIn with filter signInEventTypes does not return all results

David_Trevor · ‎Aug 02 2023

In Azure Active Directory, one can check sign-in logs. I want to query the interactive user sign-ins via Powershell / via Graph.

I retrieve all events I can get and filter on a specific IP. I get 92308 results and verify that they are all of type interactiveUser.

The next query, I additionally include a filter on interactiveUser. I should receive the same amount of events, however I receive only 3023 results, which is not even close to what I expected.

$IpFilter = '1.1.1.1'

$WithoutSignInType = Get-MgBetaAuditLogSignIn -All -Filter "(CreatedDateTime ge 2020-01-01T00:00Z) and (IPAddress eq $IpFilter)"
$WithoutSignInType | Group-Object SignInEventTypes
	Count Name
	----- ----
	92308 {interactiveUser}

$WithSignInType = Get-MgBetaAuditLogSignIn -All -Filter "signInEventTypes/any(t:t eq 'interactiveUser') and (CreatedDateTime ge 2020-01-01T00:00Z) and (IPAddress eq $IpFilter)"
$WithSignInType | Group-Object SignInEventTypes
	Count Name
	----- ----
	3023 {interactiveUser}

David_Trevor · ‎Nov 05 2023

Resolved the issue by connecting to Graph with the following scopes:

Connect-Graph -Scopes AuditLog.Read.All,Directory.Read.All

Products (52)

Special Topics (28)

Video Hub (447)

Most Active Hubs

Most Active Hubs

Video Hub

Get-MgBetaAuditLogSignIn with filter signInEventTypes does not return all results

Get-MgBetaAuditLogSignIn with filter signInEventTypes does not return all results

Re: Get-MgBetaAuditLogSignIn with filter signInEventTypes does not return all results