Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

How to get Azure AD reports using Powershell?

Azure Active Directory audit logs (operations) and sign-in logs (authentication data) helps you trace all changes and any sign-in activity done within Azure AD. You can retrieve the same data by using the Azure AD PowerShell cmdlets for reporting. Alternatively, you can use a comprehensive AD auditing solution like ADAudit Plus that will make things simple for you.

This article compares the method of getting Azure AD audit and sign-in logs using Windows PowerShell and ADAudit Plus.

Windows PowerShell

Steps to monitor Azure AD audit and sign-in logs using PowerShell:

  • To retrieve audit logs within Azure AD we can use the Get-AzureADAuditDirectoryLogs cmdlet.
  • Audit logs can be retrieved based on parameters such as dates, users, applications or logs containing a particular resource.
    PS C:\>Get-AzureADAuditDirectoryLogs -Filter "activityDateTime gt 2020-04-15"
    PS C:\>Get-AzureADAuditDirectoryLogs -Filter "initiatedBy/user/displayName eq 'John Doe'"
    PS C:\>Get-AzureADAuditDirectoryLogs -Filter "initiatedBy/app/displayName eq 'Office 365'"
    PS C:\>Get-AzureADAuditDirectoryLogs -Filter "targetResources/any(tr:tr/displayName eq 'Active Directory Example')"
  • To get reports on sign-in logs in Azure AD, the Get-AzureADAuditSignInLogs cmdlet is used.
  • Similar parameters such as date, user, location and log with a given status can be retrieved.
    PS C:\>Get-AzureADAuditSignInLogs -Filter "createdDateTime gt 2020-04-215"
    PS C:\>Get-AzureADAuditSignInLogs -Filter "userDisplayName eq 'John Doe'"
    PS C:\>Get-AzureADAuditSignInLogs -Filter "appDisplayName eq 'Office 365'"
    PS C:\>Get-AzureADAuditSignInLogs -Filter "location/city eq 'Pleasanton' and location/state eq 'California' and location/countryOrRegion eq 'US'"
    PS C:\>Get-AzureADAuditSignInLogs -Filter "status/errorCode eq 0 -All $true"

ADAudit Plus

To obtain the report,

  • Log in to the ADAudit Plus web console.
  • Go to the Reports tab > Azure AD Tab > User Logon Reports.
  • Under User Logon Reports, you will find the below mentioned reports:
    • Logon Activity
    • Logon Failures
    • Logon Failures due to bad password
    • Logon Activity by IP Address
    • Hybrid Logon Activity
    • Logon Activity by Applications Each of these reports can be further filtered as per your needs.
  • Select the domain.
  • Select Export as to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX).

Screenshot:

azure-ad-reports-powershell-1

The following are the limitations of using Windows PowerShell to generate Azure AD audit and sign-in logs:

  • We can run the above script only from the computers which have Active Directory Domain Services role.
  • To change date formats and to apply different time zones on the date results, the script has to be modified or created each time.
  • It's difficult to export the report in other formats.
  • Applying more filters, like 'During business hours', 'Period', and 'Export as' will increase the LDAP query complexity.

ADAudit Plus on the other hand will swiftly generate reports by scanning all the DCs and these reports can be exported in multiple formats.

  • Avoid complex PowerShell-scripting, and simplify AD change auditing with ADAudit Plus.
  •  
  • By clicking 'Get Your Free Trial', you agree to processing of personal data according to the Privacy Policy.
  •  
  • Thanks!
  • Your download is in progress and it will be completed in just a few seconds! If you face any issues, download manually here.

Related Resources

ADAudit Plus Trusted By