Using Microsoft Graph for Audit Logs

I'm trying to use Microsoft Graph to retrieve Windows Sign In logs from the previous day with the idea of creating reports based on the data.

The issue I'm having:

Getting the exact same user information on each paging (@odata.nextLink) even though the skip token is different, except after the sixth skip the the URL within the odata.nextLink is repeating.

Any help in finding a resolution would be greatly appreciative

Snapshot of my PowerShell script:

$Uri = "https://graph.microsoft.com/v1.0/auditLogs/signIns?`$filter=createdDateTime gt 2019-12-02T12:00Z and createdDateTime lt 2019-12-02T20:01Z and appDisplayName eq 'Windows Sign In' and deviceDetail/operatingSystem eq 'Windows'&orderby=createdDateTime desc"

#$Uri = "https://graph.microsoft.com/v1.0/auditLogs/signIns`?$filter=appDisplayName eq 'Windows Sign In' AND deviceDetail/operatingSystem eq 'Windows'&orderby=createdDateTime desc"

# Fetch all Signin Logs
$AuditLogRequest = Invoke-RestMethod -Uri $Uri -Headers $Header -Method Get -ContentType "application/json"

$AuditlogNextLink = $AuditLogRequest."@odata.nextLink"

while($AuditlogNextLink -ne $null)
{
$Header = @{Authorization = "$($Request.token_type) $($Request.access_token)"}
$AuditLogRequest = (Invoke-RestMethod -Uri $AuditlogNextLink –Headers $Header –Method Get -ContentType "application/json")

$AuditlogNextLink = $AuditLogRequest.'@odata.nextLink'
$AuditlogNextLink >> "D:\AzureADSignInError\nextLink.txt"
$AuditLogs += $AuditLogRequest.value

$LoginArray = New-Object System.Collections.Generic.List[System.Object]
Foreach($AuditLog in $AuditLogs)
{
$DisplayName = $AuditLog.userDisplayName
$EmailAddress = $AuditLog.userPrincipalName
$UserObjectID = $AuditLog.userID
$AppDisplayName = $AuditLog.appDisplayName
$CreatedDate = $AuditLog.createdDateTime

$DetailInfo = $AuditLog.deviceDetail
$DeviceName = $DetailInfo.displayname
$DeviceID = $DetailInfo.deviceId
$DeviceOS = $DetailInfo.operatingSystem
$DeviceTrustType = $DetailInfo.trustType

$StatusInfo = $AuditLog.status
$FailureReason = $StatusInfo.failureReason
$ErrorCode = $StatusInfo.errorCode
$AdditonalDetail = $StatusInfo.additionalDetails

If($AppDisplayName -eq "Windows Sign In")
{
[int]$Counter++
$AddDateTime = Get-date -UFormat $c
If($ErrorCode -eq "0")
{
$ArrayData = $DisplayName + "|" + $EmailAddress + "|" + $AppDisplayName + "|" + $DeviceOS + "|" + $DeviceTrustType + "|" + $CreatedDate + "|" + $AddDateTime
$Data = "$UserObjectID-$DeviceID"
$AddToLog = $LoginArray.Contains("$Data")

Write-host $AddToLog ".......................... $Data ..............................................................................................." -ForegroundColor DarkGray
Write-host $DisplayName " ... " $AppDisplayName "|"$DeviceOS "|" $DeviceTrustType "|" $DeviceName "|" $ErrorCode "|" $FailureReason "|" $CreatedDate "|" $AddDateTime "|" $Counter -ForegroundColor Green

If($AddToLog -eq $False)
{
#$LoginArray += $Data
$LoginArray.Add($Data)
Write-host $Data -ForegroundColor Magenta

$ExportData = $DisplayName + "|" + $EmailAddress + "|" + $UserObjectID + "|" + $AppDisplayName + "|" + $DeviceOS + "|" + $DeviceTrustType + "|" + $DeviceName + "|" + $DeviceID + "|" + $CreatedDate + "|" + $AddDateTime
Out-File -FilePath $LogFile -InputObject $ExportData -Encoding UTF8 -append

$Data = $Null
$AddToLog = $Null
}
}
ElseIf($ErrorCode -eq "50155")#50155 - Device authentication failed for this user 50057 - device failed authentication
{
[int]$Counter++
$errorreport = "$DeviceID ... $ErrorCode .... $FailureReason"
Write-host $errorreport "................................................................................Count: " $Counter -ForegroundColor Cyan
$errorreport >> "D:\AzureADSignInError\AzureSignInErrors.txt"
}
ElseIf($ErrorCode -eq "50057")#User account is disabled. The account has been disabled by an administrator.
{
[int]$Counter++
$errorreport = "$EmailAddress ... $ErrorCode .... $FailureReason"
Write-host $errorreport "................................................................................Count: " $Counter -ForegroundColor Cyan
$errorreport >> "D:\AzureADSignInError\AzureSignInErrors.txt"
}
Else
{
[int]$Counterr++
$errorreport = "$EmailAddress ... $DeviceName ... $ErrorCode .... $FailureReason"
Write-host $errorreport "................................................................................Count: " $Counter -ForegroundColor Cyan
$errorreport >> "D\AzureADSignInError:\AzureSignInErrors.txt"
}

}# End Windows SignIn If statment
}#End of Foreach Loop

} # End of While Loop

The @data.nextlink Screenshots

https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime+gt+2019-12-02T12%3a00Z+and+createdDateTime+lt+2019-12-02T20%3a01Z+and+appDisplayName+eq+%27Windows+Sign+In%27+and+deviceDetail%2foperatingSystem+eq+%27Windows%27&orderby=createdDateTime+desc&$skiptoken=0000000000000000000000000009d3e_2000

Azure Active Directory (AAD)

Thijs Lecomte
Dec 03, 2019
Hi

I use this script to loop over signinlogs, so this should be the same.
could you test with this. If you can't adapt it to AuditLogs, feel free to reach out!

$graphApiVersion = "v1.0"
$User_resource = "auditLogs/signIns?top=1000"
$uri = "https://graph.microsoft.com/$graphApiVersion/$User_resource"

$signins = @()
do{
try {
Write-Log "[INFO] - Getting all sign-in logs with uri - $uri"

$data = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get)
$signins += $data.Value

Write-Log "[INFO] - Got all sign-in logs for $user"

$uri = $data.'@odata.nextLink'
}

catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Log "[ERROR] - Getting sign-in Logs for $user"
Write-Log "[ERROR] - Response content:`n$responseBody" -f Red
Write-Log "[ERROR] - Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
}
}
while($uri)

Forum Discussion

Using Microsoft Graph for Audit Logs

Share

Resources