Direct Inward Dialing: +1 408 916 9892
Azure Active Directory audit logs (operations) and sign-in logs (authentication data) helps you trace all changes and any sign-in activity done within Azure AD. You can retrieve the same data by using the Azure AD PowerShell cmdlets for reporting. Alternatively, you can use a comprehensive AD auditing solution like ADAudit Plus that will make things simple for you.
This article compares the method of getting Azure AD audit and sign-in logs using Windows PowerShell and ADAudit Plus.
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "activityDateTime gt 2020-04-15"
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "initiatedBy/user/displayName eq 'John Doe'"
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "initiatedBy/app/displayName eq 'Office 365'"
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "targetResources/any(tr:tr/displayName eq 'Active Directory Example')"
PS C:\>Get-AzureADAuditSignInLogs -Filter "createdDateTime gt 2020-04-215"
PS C:\>Get-AzureADAuditSignInLogs -Filter "userDisplayName eq 'John Doe'"
PS C:\>Get-AzureADAuditSignInLogs -Filter "appDisplayName eq 'Office 365'"
PS C:\>Get-AzureADAuditSignInLogs -Filter "location/city eq 'Pleasanton' and location/state eq 'California' and location/countryOrRegion eq 'US'"
PS C:\>Get-AzureADAuditSignInLogs -Filter "status/errorCode eq 0 -All $true"
Screenshot:
The following are the limitations of using Windows PowerShell to generate Azure AD audit and sign-in logs:
ADAudit Plus on the other hand will swiftly generate reports by scanning all the DCs and these reports can be exported in multiple formats.