-
Notifications
You must be signed in to change notification settings - Fork 247
Get tenant signins
directorcia edited this page Apr 17, 2025
·
4 revisions
Designed to retrieve and report on user sign-in activities from a Microsoft 365 tenant using the Microsoft Graph API.
The script accepts five optional parameters:
-
$debug: Enables debug logging to a text file -
$csv: Exports the results to a CSV file -
$prompt: Enables interactive prompts for user confirmation -
$maxPages: Controls the maximum number of pages to retrieve (default: 10) -
$allPages: When set, retrieves all available pages without limitation
The script includes comprehensive documentation:
- Disclaimer about using at your own risk
- Description: "Report on signins for tenant"
- Source: GitHub Repository
- Documentation: Wiki Link
- Prerequisites: MS Graph PowerShell module installation required
- Support: Author-provided contact info
Several variables are initialized:
- Color-coding variables for message types:
-
$systemmessagecolor,$processmessagecolor, etc.
-
- Output file path for CSV export:
$outputFile = "..\graph-signins.csv"
If the $debug parameter is set:
- Creates a log file (
graph-signins-get.txt) in the parent directory - Starts a transcript to capture all commands and outputs during execution
The script:
- Clears the console and displays a start message
- Connects to Microsoft Graph using
Connect-MgGraphwith scopes:-
AuditLog.Read.All– Access to sign-in logs -
Directory.Read.All– Access to directory information
-
- Retrieves context of the connected session
- Displays connected account info
- If
$promptis set, asks for confirmation to proceed
Includes custom Invoke-WithRetry function:
- Accepts a script block to execute
- Retries up to a specified number of times (default: 3)
- Uses exponential backoff between attempts (2s initial, doubles each retry)
- Aligns with Azure best practices for transient failure handling
The script:
- Uses a stopwatch to measure total execution time
- Tracks individual API call performance per page
- Sets Graph API endpoint for sign-in logs
- Uses
$selectto retrieve specific fields:-
clientAppUsed,ipAddress,isInteractive,userPrincipalName,createdDateTime,status
-
- Limits result set to 100 records/page
- Initializes counters for pages and records
- Loops until either:
- No more pages
- Max page limit is reached (unless
$allPagesis set)
- For each page:
- Measures retrieval time
- Uses retry function for transient failures
- Processes and formats results
- Converts UTC to local time
- Builds custom PowerShell objects
- Gets next page URL
- Converts UTC timestamps to local time using:
-
DateTime.ParseExactwith ISO 8601 -
InvariantCulturefor region-independent parsing - Fallback and error handling for unparseable dates
-
- Interprets each sign-in:
-
errorCode = 0→ Success - Otherwise → Failure with reason
-
- For >1000 records:
- Uses batch processing (max batch size: 5000)
- Prevents memory issues
- Formats results in a table
- Shows summary:
- Total records retrieved
- Number of pages processed
- Total execution time
If $csv is set:
- Exports dataset to specified file
- Uses
Export-Csv -NoTypeInformationfor clean output
- Displays completion message
- If debug mode was enabled, stops transcript logging
This script follows Azure best practices:
- Authentication: Uses minimum required Graph scopes
- Retry logic: Exponential backoff for stability
- Error handling: Robust against failures
- Performance: Efficient field selection and pagination
- Large datasets: Optimized via batching
- Security audits & compliance reports
- Detecting suspicious sign-ins
- User access monitoring
- Troubleshooting login issues
Note: Script does not store credentials. It uses secure, interactive authentication via Microsoft Graph PowerShell SDK.