/
Export-PrivilegedUserSignIn.ps1
86 lines (66 loc) · 2.93 KB
/
Export-PrivilegedUserSignIn.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
<##################################################################################################
#
.SYNOPSIS
1. This script exports several data points from the Azure AD Incident Response PowerShell module
2. You can set the Output Path using the variable $OutputPath, or just run the script and it will prompt
3. Specify the primary $DomainName associated with the tenant in order to run the script, or it will prompt
4. You must have the AzureADIncidentResponse PowerShell module installed in order to use this script, i.e.:
Install-Module AzureADIncidentResponse
.NOTES
FileName: Export-PrivilegedUserSignIn.ps1
Author: Alex Fields
Created: June 2021
Revised: June 2021
#>
###################################################################################################
<#
Import-Module AzureAD
Import-Module AzureADIncidentResponse
#>
#############################################################
## Gather the parameters
## You may set the parameters in the script or enter by prompt
$DomainName = ""
$OutputPath = ""
## If the OutputPath variable is undefined, prompt for input
if (!$OutputPath) {
Write-Host
$OutputPath = Read-Host 'Enter the output path, e.g. C:\IROutput'
}
## If the output path does not exist, then create it
$CheckOutputPath = Get-Item $OutputPath -ErrorAction SilentlyContinue
if (!$CheckOutputPath) {
Write-Host
Write-Host "Output path does not exist, so the directory will be created." -ForegroundColor Yellow
mkdir $OutputPath
}
## If the DomainName variable is undefined, prompt for input
if ($DomainName -eq "") {
Write-Host
$DomainName = Read-Host 'Enter the primary domain name associated with the tenant'
}
$CheckSubDir = Get-Item $OutputPath\$DomainName -ErrorAction SilentlyContinue
if (!$CheckSubDir) {
Write-Host
Write-Host "Domain sub-directory does not exist, so the sub-directory will be created." -ForegroundColor Yellow
mkdir $OutputPath\$DomainName
}
#############################################################
## Get the tenant ID and connect to Azure AD
$TenantID = Get-AzureADIRTenantId -DomainName $DomainName
Connect-AzureADIR -TenantId $TenantID
#############################################################
$PrivUsers = Get-AzureADIRPrivilegedRoleAssignment -TenantId $TenantID | Where-Object RoleMemberObjectType -EQ User
foreach ($User in $PrivUsers) {
$DisplayToID = Get-AzureADIRDisplayNameToObjectId -DisplayName $User.RoleMemberName -ObjectType User
$RoleMemberEmail = $User.RoleMemberMail
$SignInDetail = Get-AzureADIRSignInDetail -TenantId $TenantID -UserId $DisplayToID.ObjectId
if (!$SignInDetail) {
Write-Host
} else {
$SignInDetail | Export-Csv $OutputPath\$DomainName\$RoleMemberEmail-SignInDetail.csv
}
}
Write-Host
Write-Host "See the output in the domain subdirectory." -ForegroundColor Cyan
Write-Host