Azure AD PowerShell cmdlets for reporting

Note

These PowerShell cmdlets currently only work with the Azure AD Preview Module. Please note that the preview module is not suggested for production use.

To install the public preview release, use the following.

Install-module AzureADPreview

For more infromation on how to connect to Azure AD using PowerShell, please see the article Azure AD PowerShell for Graph.

With Azure Active Directory (Azure AD) reports, you can get details on activities around all the write operations in your direction (audit logs) and authentication data (sign-in logs). Although the information is available by using the MS Graph API, now you can retrieve the same data by using the Azure AD PowerShell cmdlets for reporting.

This article gives you an overview of the PowerShell cmdlets to use for audit logs and sign-in logs.

Audit logs

Audit logs provide traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles, and policies.

You get access to the audit logs using the `Get-AzureADAuditDirectoryLogs cmdlet.

Scenario PowerShell command
Application Display Name Get-AzureADAuditDirectoryLogs -Filter "initiatedBy/app/displayName eq 'Azure AD Cloud Sync'"
Category Get-AzureADAuditDirectoryLogs -Filter "category eq 'ApplicationManagement'"
Activity Date Time Get-AzureADAuditDirectoryLogs -Filter "activityDateTime gt 2019-04-18"
All of the above Get-AzureADAuditDirectoryLogs -Filter "initiatedBy/app/displayName eq 'Azure AD Cloud Sync' and category eq 'ApplicationManagement' and activityDateTime gt 2019-04-18"

The following image shows an example for this command.

Screenshot shows the result of the Get-Azure A D Audit Directory Logs command.

Sign-in logs

The sign-ins logs provide information about the usage of managed applications and user sign-in activities.

You get access to the sign-in logs using the `Get-AzureADAuditSignInLogs cmdlet.

Scenario PowerShell command
User Display Name Get-AzureADAuditSignInLogs -Filter "userDisplayName eq 'Timothy Perkins'"
Create Date Time Get-AzureADAuditSignInLogs -Filter "createdDateTime gt 2019-04-18T17:30:00.0Z" (Everything since 5:30 pm on 4/18)
Status Get-AzureADAuditSignInLogs -Filter "status/errorCode eq 50105"
Application Display Name Get-AzureADAuditSignInLogs -Filter "appDisplayName eq 'StoreFrontStudio [wsfed enabled]'"
All of the above Get-AzureADAuditSignInLogs -Filter "userDisplayName eq 'Timothy Perkins' and status/errorCode ne 0 and appDisplayName eq 'StoreFrontStudio [wsfed enabled]'"

The following image shows an example for this command.

Screenshot shows the result of the Get-Azure A D Audit Sign In Logs command.

Next steps