Azure AD Sign-In audit logs provide information about the usage of managed applications, user sign-in activities (success and failed log-ins), and how resources are used by users. Administrators can easily view the sign-in logs from the Azure AD portal, for more information, see View and Download Sign-in Logs from Azure Portal. In this post, we will explore how to retrieve and export Azure AD Sign-In Logs using PowerShell.
We can use the Get-AzureADAuditSignInLogs cmdlet to get all the Azure AD sign-in logs. This cmdlet currently comes only with the AzureADPreview module. Before you start, install the AzureADPreview module and run the following command to connect the Azure AD module.
Connect-AzureAD
The following command retrieves sign-in logs after a certain date (2021-11-11).
Get-AzureADAuditSignInLogs -Filter "createdDateTime gt 2021-11-11T17:30:00.0Z"
Find sign in logs by user or application
#Filter logs by user display name.
Get-AzureADAuditSignInLogs -Filter "userDisplayName eq 'Alex Wilber'"
#Filter logs by UserPrincipalName.
Get-AzureADAuditSignInLogs -Filter "userPrincipalName eq '[email protected]'"
#Filter logs by Client Application name.
Get-AzureADAuditSignInLogs -Filter "appDisplayName eq 'Office 365 SharePoint Online'"
Find sign in logs by Status code
The below command returns only sign-in logs with success code (errorCode eq 0).
Get-AzureADAuditSignInLogs -Filter "status/errorCode eq 0" -All $true
Run the below command to get only failure logs ( errorCode ne 0).
Get-AzureADAuditSignInLogs -Filter "status/errorCode ne 0" -All $true
Export All Sign-In Audit Logs to CSV using PowerShell
The below command gets all the Azure AD sign-in logs and export the result to a CSV file.
Get-AzureADAuditSignInLogs -All $true |`
Export-CSV "C:\AzureADAuditSignInLogs.CSV" -NoTypeInformation -Encoding UTF8