• Latest
  • Trending
  • All
  • News
  • Business
  • Politics
  • Science
  • World
  • Lifestyle
  • Tech
Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

Analyzing Azure Active Directory Sign-In Data with PowerShell

December 18, 2020
Public preview of Microsoft Defender ATP web content filtering is now free for enterprise users

Microsoft Releases Windows Server 2022 Preview

March 8, 2021
8×8 makes raft of updates to platform

Silverfort Launches Unified Identity Protection Platform for Microsoft Azure Active Directory

March 8, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Strata Maverics Identity Orchestrator extends Azure AD control to on-premise applications

March 8, 2021
Microsoft To Build New Azure Cloud Data Centers In Greece

Yubico Makes Passwordless Authentication Generally Available for Azure AD Users

March 5, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft makes passwordless push in Azure Active Directory

March 5, 2021
Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

Microsoft Power BI Premium Per User pricing is a game changer

March 4, 2021
How to use Microsoft Sysmon, Azure Sentinel to log security events

Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

March 4, 2021
8×8 makes raft of updates to platform

BitDam ATP+ protects Office 365 users from unknown threats

March 4, 2021
How to use Microsoft Sysmon, Azure Sentinel to log security events

Cloud Network Engineer – Associate – ATL

March 3, 2021
Microsoft Outlines How To Set Up Windows Virtual Desktop

What’s New in Tufin Orchestration Suite 21-1

March 3, 2021
Innovative solutions for IT workers at home

BitDam Offers Complete Security for Office 365 Email, OneDrive and Teams With The Introduction of BitDam ATP+

March 2, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft to add new shared channels, encryption for calls, webinar features to Teams

March 2, 2021
  • About
  • Advertise
  • Privacy & Policy
  • Contact
Tuesday, March 9, 2021
  • Login
Azure Security News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
    • Home – Layout 4
    • Home – Layout 5
  • News
    • All
    • Business
    • Politics
    • Science
    • World
    8×8 makes raft of updates to platform

    Silverfort Launches Unified Identity Protection Platform for Microsoft Azure Active Directory

    A moment of reckoning: the need for a strong and global cybersecurity response

    Strata Maverics Identity Orchestrator extends Azure AD control to on-premise applications

    Microsoft To Build New Azure Cloud Data Centers In Greece

    Yubico Makes Passwordless Authentication Generally Available for Azure AD Users

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft makes passwordless push in Azure Active Directory

    How to use Microsoft Sysmon, Azure Sentinel to log security events

    Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

    8×8 makes raft of updates to platform

    BitDam ATP+ protects Office 365 users from unknown threats

    Microsoft Outlines How To Set Up Windows Virtual Desktop

    What’s New in Tufin Orchestration Suite 21-1

    Innovative solutions for IT workers at home

    BitDam Offers Complete Security for Office 365 Email, OneDrive and Teams With The Introduction of BitDam ATP+

    Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

    Cloud Security in Banking Market Next Big Thing | Major Giants- Sophos, Boxcryptor, Microsoft Azure

    How to use Microsoft Sysmon, Azure Sentinel to log security events

    Microsoft Cloud Announces Three New Vertical Cloud Solutions

    Trending Tags

    • Donald Trump
    • Future of News
    • Climate Change
    • Market Stories
    • Election Results
    • Flat Earth
  • Tech
    • All
    • Apps
    • Gear
    • Mobile
    • Startup
    Public preview of Microsoft Defender ATP web content filtering is now free for enterprise users

    Microsoft Releases Windows Server 2022 Preview

    Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

    Microsoft Power BI Premium Per User pricing is a game changer

    How to use Microsoft Sysmon, Azure Sentinel to log security events

    Cloud Network Engineer – Associate – ATL

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft to add new shared channels, encryption for calls, webinar features to Teams

    Microsoft Declares ‘General Availability’ of Threat Experts Security Service

    Mindware Partners with Cibecs to Help Regional Organizations Manage and Protect Distributed Endpoint Devices and Data

    Microsoft To Build New Azure Cloud Data Centers In Greece

    Enterprise Key Management Solution Market 2021 Industry Growth Analysis, Future Predictions, SWOT Analysis, By Top Players- EMC Corporation Townsend security Hewlett-Packard Enterprise Gemalto N.V. Microsoft Azure Google Thales e-security International Business Machines (IBM) Broadcom

    A moment of reckoning: the need for a strong and global cybersecurity response

    Intel Calls Silicon ‘Greatest Weapon Against Security Threats’

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft Releases Azure Firewall Premium in Public Preview

    Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

    Veeam Backup & Replication 11: Enhanced data management for a multi-cloud environment

    8×8 makes raft of updates to platform

    Advancing the Orchestration of Distributed Edge Applications, ZEDEDA Integrates with Microsoft Azure IoT

    Trending Tags

    • Flat Earth
    • Sillicon Valley
    • Mr. Robot
    • MotoGP 2017
    • Golden Globes
    • Future of News
  • Entertainment
    • All
    • Gaming
    • Movie
    • Music
    • Sports
    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Meet the woman who’s making consumer boycotts great again

    New campaign wants you to raise funds for abuse victims by ditching the razor

    Twitter tweaks video again, adding view counts for some users

    A beginner’s guide to the legendary Tim Tam biscuit, now available in America

    People are handing out badges at Tube stations to tackle loneliness

    Trump’s H-1B Visa Bill spooks India’s IT companies

    Magical fish basically has the power to conjure its own Patronus

    This Filipino guy channels his inner Miss Universe by strutting in six-inch heels and speedos

    Oil spill off India’s southern coast leaves fisherman stranded, marine life impacted

  • Lifestyle
    • All
    • Fashion
    • Food
    • Health
    • Travel
    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Offers More ‘Solorigate’ Advice Using Microsoft 365 Defender Tools

    A moment of reckoning: the need for a strong and global cybersecurity response

    Solar Winds, Office 365 & Shipbuilding…

    Aruba ClearPass Policy Manager Integrates with Microsoft

    Imprivata Expands Collaboration with Microsoft on New Digital Identity Innovations

    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Canada’s 10 biggest stories of 2020

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    AMD breaks revenue records for 2019 and 4Q

    AMD breaks revenue records for 2019 and 4Q

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft is killing off insecure Cloud App Security cipher suites

    Microsoft is killing off insecure Cloud App Security cipher suites

    Rap group call out publication for using their image in place of ‘gang’

    Meet the woman who’s making consumer boycotts great again

    Trending Tags

    • Golden Globes
    • Mr. Robot
    • MotoGP 2017
    • Climate Change
    • Flat Earth
No Result
View All Result
Azure Security News
No Result
View All Result
Home News Business

Analyzing Azure Active Directory Sign-In Data with PowerShell

by AZURE SECURITY NEWS EDITOR
December 18, 2020
in Business
0
Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions
499
SHARES
1.4k
VIEWS
Share on FacebookShare on Twitter

Analyzing Azure Active Directory Sign-In Data with PowerShell

AzureADPreview Module Gives Insight into Sign-in Data

The Azure Active Directory PowerShell module (now renamed the Azure Active Directory PowerShell for Graph module) comes in two versions. The general availability version is intended for production while the preview version (AzureADPreview) contains the cmdlets from the general availability version plus some new cmdlets under development group. The current version of the AzureADPreview module is 2.0.2.105, released in July.

The Get-AzureADAuditSiginInLogs cmdlet exposes the Azure audit sign-in data that is also available through the Azure Active Directory portal (Figure 1), where up to a month of sign-in daa can be browsed. You can download events from the portal in CSV or JSON format, and the same events are available to PowerShell.Image 1 Expand 

Figure 1: Azure AD sign-ins (image credit: Tony Redmond)

Data downloaded to a CSV file can be opened and analyzed with Excel.

Checking the Last Sign-in for an Account

The availability of the data to PowerShell makes it possible to look at the information in a different way. For example, we can retrieve the last successful sign-in for an account by running a command like this:
PowerShell

12345Get-AzureADAuditSignInLogs -Top 1 -Filter (“UserPrincipalName eq ‘Kim.Akers@Office365itpros.com’ and status/errorCode eq 0”)  | Format-Table CreatedDateTime, UserDisplayName CreatedDateTime              UserDisplayName—————              —————2020-07-28T13:50:39.0039859Z Kim Akers


It’s interesting to discover last sign-in data for tenant accounts (users now have an option to review their sign-in activity), but given that guest accounts have a habit of lingering in tenants when not being used, the technique can reveal the last sign-in for guest accounts. This code asks for the name of a guest and uses it to find matching accounts. For each account, we check the sign-ins and report how long ago the sign-in was.
PowerShell

12345678910111213141516171819$Guest = Read-Host “Enter name of guest account”$Guests = Get-AzureADUser -SearchString $GuestForEach ($G in $Guests) {   If ($G.UserType -eq “Guest”) {      $UserLastLogonDate = $Null      Try {         $UserObjectId = $G.ObjectId         $UserLastLogonDate = (Get-AzureADAuditSignInLogs -Top 1  -Filter “userid eq ‘$UserObjectId’ and status/errorCode eq 0”).CreatedDateTime }      Catch {         Write-Host “Can’t read Azure Active Directory Sign in Logs” }      If ($UserLastLogonDate -ne $Null) {         $LastSignInDate = Get-Date($UserLastLogonDate); $Days = New-TimeSpan($LastSignInDate)         Write-Host “Guest” $G.DisplayName “last signed in on” $LastSignInDate “or” $Days.Days “days ago”  }      Else { Write-Host “No Azure Active Directory sign-in data available for” $G.DisplayName “(” $G.Mail “)” }     }} Enter name of guest account: BrianGuest Brian Desmond last signed in on 03/08/2020 15:28 or 0 days agoNo Azure Active Directory sign-in data available for Brian Ricks (brianr@brian2.com)


It’s also possible to retrieve sign in information for individual users with Graph API calls.

Processing Sign-in Data

Raw data about someone’s sign-ins are interesting. The data is more useful if we do a little processing before attempting any analysis. This code finds the last month’s sign-in data and populates a PowerShell list object with information extracted from the sign-in records.
PowerShell

12345678910111213141516171819202122232425# Fetches the last month’s Azure Active Directory sign-in dataCLS; $StartDate = (Get-Date).AddDays(-30); $StartDate = Get-Date($StartDate) -format yyyy-MM-dd  Write-Host “Fetching data from Azure Active Directory…”$Records = Get-AzureADAuditSignInLogs -Filter “createdDateTime gt $StartDate” -all:$True  $Report = [System.Collections.Generic.List[Object]]::new() ForEach ($Rec in $Records) {    Switch ($Rec.Status.ErrorCode) {      “0” {$Status = “Success”}      default {$Status = $Rec.Status.FailureReason}    }    $ReportLine = [PSCustomObject] @{           TimeStamp   = Get-Date($Rec.CreatedDateTime) -format g           User        = $Rec.UserPrincipalName           Name        = $Rec.UserDisplayName           IPAddress   = $Rec.IpAddress           ClientApp   = $Rec.ClientAppUsed           Device      = $Rec.DeviceDetail.OperatingSystem           Location    = $Rec.Location.City + “, ” + $Rec.Location.State + “, ” + $Rec.Location.CountryOrRegion           Appname     = $Rec.AppDisplayName           Resource    = $Rec.ResourceDisplayName           Status      = $Status           Correlation = $Rec.CorrelationId           Interactive = $Rec.IsInteractive }      $Report.Add($ReportLine) } Write-Host $Report.Count “sign-in audit records processed.”

The Applications People Use

The populated list allows me to gain some insight into the applications users are signing into. For example:
PowerShell

12345678910111213141516171819202122232425262728$Report | Group AppName | Sort Count -Descending | Format-Table Count, Name Count Name—– —-  577 Microsoft Teams Web Client  113 Microsoft Exchange REST API Based Powershell   99 Azure Active Directory PowerShell   79 Office365 Shell WCSS-Client   64 SharePoint Online Web Client Extensibility   20 Office 365 SharePoint Online   19 Microsoft Exchange Online Remote PowerShell   15 Microsoft Teams Admin Portal Service   12 Microsoft 365 Security and Compliance Center   11 Exchange Filtering Service    7 Microsoft Office 365 Portal    4 Azure Portal    3 Microsoft Stream Portal    3 Microsoft Office Web Apps Service    2 Ideas in Word Online SSO Client    2 Microsoft Teams    2 Office Online Client AAD- Loki    2 Office Online Client AAD- Augmentation Loop    1 Skype For Business Powershell Client Application    1 O365 Suite UX    1 Office 365 Reports    1 ACOM Azure Website    1 Graph explorer    1 Office 365 Exchange Online


This data is interesting because it reveals how some Office 365 applications work. Many of the applications are instantly understandable, others are more obscure. Microsoft gives some odd names to clients, which is OK when an administrator looks at data, but is a real challenge for users when they review their sign-in data.

The data shows that Teams appears to be more heavily used than any other application, but that’s due to the way that Teams signs into many different resources when it starts up, including Exchange Online, SharePoint Online, and the Skype presence service. The new Exchange REST-based cmdlets are also heavily used, but the high number is accounted for by the way that the module reconnects to Exchange Online every so often during a session. There’s no trace of clients that might have signed on using modern authentication some time ago and are now using refresh tokens to keep connected to applications. The data is an insight into applications rather than a complete summary of workload usage across the tenant. For that, we’d need to dive into the Graph and access activity data.

Finding Where Users Sign-in From

Azure Active Directory captures a user’s location when they sign in. Here’s what I found in my tenant, which reveal a nice collection sign-ins from of different countries.
PowerShell

1234567891011121314151617$Report | Group Location|Sort Count -Descending | Format-Table Count, Name           Count Name—– —-  480 Dublin, Dublin, IE  233 Ashburn, Virginia, US  134 Nijmegen, Gelderland, NL  118 Chicago, Illinois, US   46 Sofiya, Sofiya-Grad, BG   14 Togrenda, Akershus, NO    6 Washington, Virginia, US    2 Kleinpestitz/Mockritz, Sachsen, DE    2 Oxford, Oxfordshire, GB    2 Amsterdam, Noord-Holland, NL    1 North York, Ontario, CA    1 Seattle Hill-Silver Firs, Washington, US    1 Brussels, Brussels, BE


You might be surprised at the number of locations where sign-ins to a tenant originate. A command like this will tell you who’s signing in from a location:
PowerShell

1$Report | ?{$_.Location -Like “*Sofiya*”} | Group User | Sort Count -Descending | Ft Count, Name

No New Data – Just Better Access

The data is the data. PowerShell won’t uncover insights that you can’t get by browsing sign-in data through the Azure Active Directory portal or in Excel after downloading the sign-in data from the portal. However, because PowerShell can access sign-in data, you can now include the data in scripts should you ever need to report or analyze user sign-in activity. And that’s nice

Reference:https://petri.com/azuread-signin-powershell

Share200Tweet125Share50
AZURE SECURITY NEWS EDITOR

AZURE SECURITY NEWS EDITOR

Related Posts

A moment of reckoning: the need for a strong and global cybersecurity response

Strata Maverics Identity Orchestrator extends Azure AD control to on-premise applications

by AZURE SECURITY NEWS EDITOR
March 8, 2021
0

Strata announced at Microsoft Ignite that its Maverics Identity Orchestrator platform for Microsoft Azure Active Directory (Azure AD) enables organizations to migrate applications...

How to use Microsoft Sysmon, Azure Sentinel to log security events

Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

by AZURE SECURITY NEWS EDITOR
March 4, 2021
0

Microsoft recently released a few new Azure Active Directory (AD) features, namely My Apps "collections" and new "risk detections" capabilities, into general availability (GA)....

Microsoft Outlines How To Set Up Windows Virtual Desktop

What’s New in Tufin Orchestration Suite 21-1

by AZURE SECURITY NEWS EDITOR
March 3, 2021
0

Tufin 21-1 is packed full of new features and product enhancements, including incorporating many of our customers’ requests, to help...

Innovative solutions for IT workers at home

BitDam Offers Complete Security for Office 365 Email, OneDrive and Teams With The Introduction of BitDam ATP+

by AZURE SECURITY NEWS EDITOR
March 2, 2021
0

BitDam, a leading provider of cybersecurity solutions that protect business communications from unknown threats, today announced the availability of BitDam ATP+, its...

  • Trending
  • Comments
  • Latest
Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

AZURE DEFAULT RESOURCE GROUP AND DEFAULT WORKSPACE: WHAT ARE THEY?

December 14, 2020
Microsoft Seriously Beefs Up Security in Windows Server 2019

TCS Launches Cloud Exponence on Microsoft Azure

January 21, 2021
Microsoft Launches Host of Security Products in Time for RSA

Microsoft to add two new Microsoft 365 security, compliance bundles to its line-up

November 26, 2020

Lady Gaga Pulled Off One of the Best Halftime Shows Ever

0

Barack Obama’s Now Mainly Focusing on Wearing This Casual Backwards Hat

0

Watch Justin Timberlake’s ‘Cry Me a River’ Come to Life in Mesmerizing Dance

0
Public preview of Microsoft Defender ATP web content filtering is now free for enterprise users

Microsoft Releases Windows Server 2022 Preview

March 8, 2021
8×8 makes raft of updates to platform

Silverfort Launches Unified Identity Protection Platform for Microsoft Azure Active Directory

March 8, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Strata Maverics Identity Orchestrator extends Azure AD control to on-premise applications

March 8, 2021
Azure Security News

Copyright © 2020 - Azure Security

Navigate Site

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Follow Us

No Result
View All Result
  • Home
  • News
    • Politics
    • Business
    • World
    • Science
  • Entertainment
    • Gaming
    • Music
    • Movie
    • Sports
  • Tech
    • Apps
    • Gear
    • Mobile
    • Startup
  • Lifestyle
    • Food
    • Fashion
    • Health
    • Travel

Copyright © 2020 - Azure Security

Welcome Back!

Login to your account below

Forgotten Password?

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In