ActionPlans/Start-AzureADAuditSignInLogSearch.ps1
#ToDo move Main to Function to . source in other APs Function Search-AzureAdSignInAudit { param( [int][Parameter(Mandatory=$true)] $DaysToSearch, [string][Parameter(Mandatory=$false)] $Upn) $startD = ((Get-Date).addDays(-$DaysToSearch)) $startDate = "$($startD.Year)-$($startD.Month)-$($startD.Day)" $endD = Get-Date $endDate = "$($endD.Year)-$($endD.Month)-$($endD.Day)" if ([string]::IsNullOrEmpty($upn)) { $filterAll = "createdDateTime ge $startDate and createdDateTime le $endDate" $filterFail = "createdDateTime ge $startDate and createdDateTime le $endDate and status/errorCode ne 0" $global:AzureAdSignInAll = Get-AzureADAuditSignInLogs -Filter $filterAll $global:AzureAdSignInFail = Get-AzureADAuditSignInLogs -Filter $filterFail } else { $filterAll = "userPrincipalName eq `'$Upn`' and createdDateTime ge $startDate and createdDateTime le $endDate" $filterFail = "userPrincipalName eq `'$Upn`' and createdDateTime ge $startDate and createdDateTime le $endDate and status/errorCode ne 0" $global:AzureAdSignInAll = Get-AzureADAuditSignInLogs -Filter $filterAll $global:AzureAdSignInFail = Get-AzureADAuditSignInLogs -Filter $filterFail } } Function Start-AzureADAuditSignInLogSearch { Clear-Host $Workloads = "AzureADPreview" Connect-O365PS $Workloads $CurrentProperty = "Connecting to: $Workloads" $CurrentDescription = "Success" write-log -Function "Connecting to O365 workloads" -Step $CurrentProperty -Description $CurrentDescription Write-Host "Retrieving sign in logs is based on a preview feature!`n" -ForegroundColor Yellow Start-Sleep -Seconds 3 $ts= get-date -Format yyyyMMdd_HHmmss $ExportPath = "$global:WSPath\AzureADSignInAudit_$ts" mkdir $ExportPath -Force |out-null Write-Warning "Please be aware AzureAD Sign In logs availability is limited`r`nFor Azure AD Free you can retrieve 7 days`r`nFor Azure AD Premium P1/P2 you can retrieve 30days" <#do { Write-Host "Please input the number of days you want to search (maximum 90): " -ForegroundColor Cyan -NoNewline } while ($DaysToSearch -gt 90)#> [int]$DaysToSearch= Read-IntFromConsole -IntType "Number of days to investigate Azure AD Sign In Logs" if($DaysToSearch -gt 30) { Write-Warning "We will only be able to provide a maximum of 30 days for this log" [int]$DaysToSearch = 30 } Write-Host "Please input the UPN for the user you want to search sign in logs (or just hit [Enter] to look for all users): " -ForegroundColor Cyan -NoNewline $Upn = Read-Host Search-AzureAdSignInAudit -DaysToSearch $DaysToSearch -Upn $Upn $global:AzureAdSignInAll | Export-Csv "$ExportPath\AllSignInAuditLogs_$ts.csv" -NoTypeInformation $global:AzureAdSignInFail | Export-Csv "$ExportPath\FailSignInAuditLogs_$ts.csv" -NoTypeInformation Write-Host "Azure AD sign in logs (all and fail) have been exported to: $ExportPath" -ForegroundColor Green Read-Key # Return to the main menu Clear-Host Start-O365TroubleshootersMenu } |