O365Troubleshooters

2.0.0.11

ActionPlans/Start-AzureADAuditSignInLogSearch.ps1

                                Function Search-AzureAdSignInAudit {

    param( 

        [int][Parameter(Mandatory=$true)] $DaysToSearch,

        [string][Parameter(Mandatory=$false)] $Upn)

        $startD = ((Get-Date).addDays(-$DaysToSearch)) 

        $startDate = "$($startD.Year)-$($startD.Month)-$($startD.Day)"

        $endD = Get-Date 

        $endDate = "$($endD.Year)-$($endD.Month)-$($endD.Day)"

        if (!([string]::IsNullOrEmpty($userIds)))

        {

            $filterAll = "createdDateTime ge $startDate and createdDateTime le $endDate"

            $filterFail = "createdDateTime ge $startDate and createdDateTime le $endDate and status/errorCode ne 0"

            $global:AzureAdSignInAll = Get-AzureADAuditSignInLogs -Filter $filterAll

            $global:AzureAdSignInFail = Get-AzureADAuditSignInLogs -Filter $filterFail

        }

        else

        {

            $filterAll = "userPrincipalName eq `'$Upn`' and createdDateTime ge $startDate and createdDateTime le $endDate"

            $filterFail = "userPrincipalName eq `'$Upn`' and createdDateTime ge $startDate and createdDateTime le $endDate and status/errorCode ne 0"

            $global:AzureAdSignInAll = Get-AzureADAuditSignInLogs -Filter $filterAll

            $global:AzureAdSignInFail = Get-AzureADAuditSignInLogs -Filter $filterFail

        }

}

Clear-Host

$Workloads = "AzureADPreview"

Connect-O365PS $Workloads

$CurrentProperty = "Connecting to: $Workloads"

$CurrentDescription = "Success"

write-log -Function "Connecting to O365 workloads" -Step $CurrentProperty -Description $CurrentDescription 

Write-Host "Retrieving sign in logs is based on a preview feature!`n" -ForegroundColor Yellow

Start-Sleep -Seconds 3

$ts= get-date -Format yyyyMMdd_HHmmss

$ExportPath = "$global:WSPath\AzureADSignInAudit_$ts"

mkdir $ExportPath -Force |out-null

do

{

    Write-Host "Please input the number of days you want to search (maximum 90): " -ForegroundColor Cyan -NoNewline

    [int]$DaysToSearch= Read-Host

} while ($DaysToSearch -gt 90)

Write-Host "Please input the UPN for the user you want to search sign in logs (or just hit [Enter] to look for all users): " -ForegroundColor Cyan -NoNewline

$Upn = Read-Host

Search-AzureAdSignInAudit -DaysToSearch $DaysToSearch -Upn $Upn

$global:AzureAdSignInAll | Export-Csv "$ExportPath\AllSignInAuditLogs_$ts.csv" -NoTypeInformation

$global:AzureAdSignInFail | Export-Csv "$ExportPath\FailSignInAuditLogs_$ts.csv" -NoTypeInformation

Write-Host "Azure AD sign in logs (all and fail) have been exported to: $ExportPath"

Read-Key

# Return to the main menu

Clear-Host

Start-O365TroubleshootersMenu