Get Azure AD Last Login Date And Sign-In Activity

Every so often when I run an audit on my environment, I’m always finding myself needing to check recent activity logs to specifically get Azure AD last login date and sign-in activity. If you recall, I wrote a previous post to Get Last Logon Date For All Users in Your Domain, but that script is specifically for Onprem Active Directory domain activity.

In this instance, we’re going to focus our efforts on compiling an Azure last login report using PowerShell. Our report would include something similar to the following:

• CreatedDateTime: Date and Time of when the sign-in occurred
• UserPrincipalName: UPN of the user
• IsInteractive: Whether or not the user signed in manually, or if it was through automation
• AppDisplayName: Which app the user was logging into
• IpAddress: In some instances it will display the public IP, or internal IP
• TokenIssuerType: If the authentication happened in ADFS or Azure AD
• DeviceOS: The operating system of the device

You can also add properties to determine the City/State location, device detail such as System OS and what client was being used. The information that is provided is very rich and it’s up to you to choose what suits your needs.

The great thing is that you don’t need to re-invent the wheel because the Azure AD module already has a cmdlet that encompasses all of the information that I mentioned above. That command is Get-AzureADAuditSignInLogs

Get Azure AD Last Login Date And Sign-In Activity in Azure Portal

There are methods of getting the information that we need, and those 2 methods are the GUI method as well as the Powershell method. We’ll focus on the GUI method first.

• Navigate to https://portal.azure.com -> Azure AD -> User you want to check -> Sign-Ins

The GUI is probably preferred when you need to check a handful of users, but as you can see this option is not very scalable. For batch processing, we’ll turn over to trusty Powershell.

Get Azure AD Last Login Report Using PowerShell

As I mentioned already, if we want to scale this operation, the GUI is simply not going to cut it. Just think how long it will take to check 100 users, 10,000? yeah not happening. The good thing is that it’s relatively easy to do it using PS.

In my example, I’m going to check Buzz Lightyear as we did in the GUI just to confirm that the data we’re pulling is the same. I should mention that you’ll need to download the Azure AD (or Azure AD Preview) module. I, myself, like to use the Azure AD Preview module.

#Import the Azure AD Module
Import-Module AzureADPreview

#Connect to Azure AD
Connect-AzureAD -AccountId [email protected]

Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq '[email protected]'" -Top 1 | `
select CreatedDateTime, UserPrincipalName, IsInteractive, AppDisplayName, IpAddress, TokenIssuerType, @{Name = 'DeviceOS'; Expression = {$_.DeviceDetail.OperatingSystem}}

The above works great for checking a single user or multiple users. If we wanted to check more users, we would either need the UPN or ObjectId of that user and do a foreach loop. Here’s what that would look like.

$UPNList = '[email protected]', '[email protected]', '[email protected]'

foreach ($User in $UPNList) {
    Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq '$User'" -Top 1 | `
    select CreatedDateTime, UserPrincipalName, IsInteractive, AppDisplayName, IpAddress, TokenIssuerType, @{Name = 'DeviceOS'; Expression = {$_.DeviceDetail.OperatingSystem}}
}

Conclusion

So there you have it, hopefully you found this article to get Azure AD last login date and sign-in activity useful and something you might be able to use in your org. Thankfully, the folks at Microsoft and Azure have this readily and easily available. If you like articles like this, be sure to check out our Azure category for more information on MS cloud. If you’re more into video learning, check out our Youtube Page for awesome sysadmin content.