Forum Discussion
EntilZha
Dec 03, 2019Iron Contributor
Using Microsoft Graph for Audit Logs
I'm trying to use Microsoft Graph to retrieve Windows Sign In logs from the previous day with the idea of creating reports based on the data. The issue I'm having: Getting the exact same user ...
- Dec 03, 2019Hi
I use this script to loop over signinlogs, so this should be the same.
could you test with this. If you can't adapt it to AuditLogs, feel free to reach out!
$graphApiVersion = "v1.0"
$User_resource = "auditLogs/signIns?top=1000"
$uri = "https://graph.microsoft.com/$graphApiVersion/$User_resource"
$signins = @()
do{
try {
Write-Log "[INFO] - Getting all sign-in logs with uri - $uri"
$data = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get)
$signins += $data.Value
Write-Log "[INFO] - Got all sign-in logs for $user"
$uri = $data.'@odata.nextLink'
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Log "[ERROR] - Getting sign-in Logs for $user"
Write-Log "[ERROR] - Response content:`n$responseBody" -f Red
Write-Log "[ERROR] - Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
}
}
while($uri)
Thijs Lecomte
Dec 03, 2019Bronze Contributor
Hi
I use this script to loop over signinlogs, so this should be the same.
could you test with this. If you can't adapt it to AuditLogs, feel free to reach out!
$graphApiVersion = "v1.0"
$User_resource = "auditLogs/signIns?top=1000"
$uri = "https://graph.microsoft.com/$graphApiVersion/$User_resource"
$signins = @()
do{
try {
Write-Log "[INFO] - Getting all sign-in logs with uri - $uri"
$data = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get)
$signins += $data.Value
Write-Log "[INFO] - Got all sign-in logs for $user"
$uri = $data.'@odata.nextLink'
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Log "[ERROR] - Getting sign-in Logs for $user"
Write-Log "[ERROR] - Response content:`n$responseBody" -f Red
Write-Log "[ERROR] - Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
}
}
while($uri)
I use this script to loop over signinlogs, so this should be the same.
could you test with this. If you can't adapt it to AuditLogs, feel free to reach out!
$graphApiVersion = "v1.0"
$User_resource = "auditLogs/signIns?top=1000"
$uri = "https://graph.microsoft.com/$graphApiVersion/$User_resource"
$signins = @()
do{
try {
Write-Log "[INFO] - Getting all sign-in logs with uri - $uri"
$data = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get)
$signins += $data.Value
Write-Log "[INFO] - Got all sign-in logs for $user"
$uri = $data.'@odata.nextLink'
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Log "[ERROR] - Getting sign-in Logs for $user"
Write-Log "[ERROR] - Response content:`n$responseBody" -f Red
Write-Log "[ERROR] - Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
}
}
while($uri)
- EntilZhaDec 06, 2019Iron Contributor
Thijs Lecomte thanks for responding..
I changed my loop from While to Do...While and that helped with the issue with paging ... thank you.
Due to the volume of audit logs and the time is takes to page through all the WindowsSignIn logs for 200+ users, I decided it would be quicker if I loop through each user and test to see if they log into their workstation. If they logged into their workstation I capture the most current information.
Thank You Again,
-Larry