Use Get-ADSignInLogs to collect the contents of the Azure Active Directory sign-in log.
Note
Important note This module requires the Graph Beta module. Install it using the command: 'Install-Module Microsoft.Graph.Beta'.
Running the script without any parameters will gather the Azure Active Directory sign-in log for the last 30 days:
Get-ADSignInLogs
Get the Azure Active Directory Audit Log before 2023-04-12:
Get-ADSignInLogs -endDate 2023-04-12
Get the Azure Active Directory Audit Log after 2023-04-12:
Get-ADSignInLogs -startDate 2023-04-12
- -startDate (optional)
- startDate is the parameter specifying the start date of the date range.
- -endDate (optional)
- endDate is the parameter specifying the end date of the date range.
- -OutputDir (optional)
- OutputDir is the parameter specifying the output directory.
- Default: The output will be written to: OutputAzureAD{date_SignInLogs}SignInLogs.json
- -Encoding (optional)
- Encoding is the parameter specifying the encoding of the JSON output file.
- Default: UTF8
- -UserIds (optional)
- UserIds is the UserIds parameter filtering the log entries by the account of the user who performed the actions.
- -MergeOutput (optional)
- MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file.
- -UserIds (optional)
- UserIds is the UserIds parameter filtering the log entries by the account of the user who performed the actions.
- -Interval (optional)
- Interval is the parameter specifying the interval in which the logs are being gathered.
- Default: 1440 minutes
The output will be saved to the 'AzureAD' directory within the 'Output' directory, with the file name 'SignInLogs.json'. Each time an acquisition is performed, the output JSON file will be overwritten. Therefore, if you perform multiple acquisitions, the JSON file will only contain the results from the latest acquisition.