Aug 02 2023
In Azure Active Directory, one can check sign-in logs. I want to query the interactive user sign-ins via Powershell / via Graph.
I retrieve all events I can get and filter on a specific IP. I get 92308 results and verify that they are all of type interactiveUser.
The next query, I additionally include a filter on interactiveUser. I should receive the same amount of events, however I receive only 3023 results, which is not even close to what I expected.
$IpFilter = '188.8.131.52'
$WithoutSignInType = Get-MgBetaAuditLogSignIn -All -Filter "(CreatedDateTime ge 2020-01-01T00:00Z) and (IPAddress eq $IpFilter)"
$WithoutSignInType | Group-Object SignInEventTypes
$WithSignInType = Get-MgBetaAuditLogSignIn -All -Filter "signInEventTypes/any(t:t eq 'interactiveUser') and (CreatedDateTime ge 2020-01-01T00:00Z) and (IPAddress eq $IpFilter)"
$WithSignInType | Group-Object SignInEventTypes
View best response
Nov 05 2023
Resolved the issue by connecting to Graph with the following scopes:
Connect-Graph -Scopes AuditLog.Read.All,Directory.Read.All