Get last sign in for the last 30 days, Get-MgAuditLogSignIn - PowerShell

Question

I am trying to make a powershell script that get's the user last sign in for the last 30 days but I am unable to due it only gets last sign in for the last 24 hours

I would like to grab the last sign in logs with the filter up to 30 days of last sign in of a user. Thanks in advance for those will assist on my concern!

Import-Module Microsoft.Graph.Reports

Connect-AzureAD

# Connect to Microsoft Graph with the required permissions
Connect-MgGraph -Scopes "AuditLog.Read.All"

# Retrieve all users and their properties from a text file
$users = Get-Content "$Env:USERPROFILE\Desktop\list.txt"

# Define date range for sign-in logs
$dateRange = (Get-Date).AddMonths(-1)

# Loop through each user and output their properties
$results = foreach ($user in $users) {
    # Retrieve user properties
    $userOutput = Get-AzureADUser -ObjectId $user | Select-Object DisplayName, UserPrincipalName, AccountEnabled

    # Output user properties
    if ($userOutput) {
        # Retrieve sign-in logs for user in the last month
        $signInLogs = Get-MgAuditLogSignIn -All -Filter "userPrincipalName eq '$user' and createdDateTime ge $($dateRange.ToString('yyyy-MM-ddTHH:mm:ssZ'))" | Sort-Object -Property createdDateTime -Descending

        if ($signInLogs) {
            $signIn = $signInLogs[0].CreatedDateTime
            $lastSignIn = $signIn.AddHours(-4).ToString("MMM dd, yyyy, h:mm tt")
        } else {
            $lastSignIn = "Never"
        }

        Write-Host "User found: $($userOutput.DisplayName) $($userOutput.UserPrincipalName) $($lastSignIn)"

        [PSCustomObject]@{
            DisplayName = $userOutput.DisplayName
            UserPrincipalName = $userOutput.UserPrincipalName
            EmployeeID = $userOutput.EmployeeId
            Enabled = $userOutput.AccountEnabled
            LastSignIn = $lastSignIn
        }
    }
}

# Export the results to a CSV file
$results | Export-Csv -Path "$Env:USERPROFILE\Desktop\user_properties.csv" -NoTypeInformation

Answer 1

You can extract the last sign in even if it's up to 30 days filter with the code below. So yeah, I answered mine xd.

Connect-MgGraph -Scopes "AuditLog.Read.All", "Directory.Read.All"

#Make sure to use Connect-MGGraph on the top of your script


        $userOutput = Get-MgUser -Filter "userPrincipalName eq '$user'" -Property DisplayName, UserPrincipalName, AccountEnabled, SignInActivity

#You can remove negative 4 hours below if you want. I just added mine to show exact date/time on my local time.

        if ($userOutput.SignInActivity) {
            $signIn = $userOutput.SignInActivity.LastSignInDateTime.AddHours(-4)
            $lastSignIn = $signIn.ToString("MMM dd, yyyy, h:mm tt")
        } else {
            $lastSignIn = "Never"
        }

Answer 2

You can do it directly using the -filter parameter using the correct format (I tore my hair out for days with this myself!!)

The correct format is:

$lastDay = (Get-Date).AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ssZ")

$auditLogs = Get-MgAuditLogSignIn -Filter "userPrincipalName eq '[email protected]' and CreatedDateTime ge $lastDay"
$auditLogs