Export Last Login Date: Entra ID/M365 Users with PowerShell

Recently, I was assigned the job of finding the most recent login information for EntraID/Microsoft 365 users. The purpose of this report is to identify individuals who haven’t logged into their devices for a long time. My main goal is to figure out if a user is still actively using the system, and my ultimate task is to disable accounts that haven’t been used in over six months.

In this blog post, we’ll explore various methods for listing and exporting the last login date and time information of Entra ID users. To achieve this, we’ll leverage a PowerShell cmdlet called Get-AzureADAuditSignInLog, which is included in the AzureADPreview PowerShell module. This cmdlet enables us to fetch the sign-in logs of Entra ID users.

With the PowerShell cmdlet Get-AzureADAuditSignInLog, you have the option to export all the sign-in data for a user. Below, I’ve outlined some of the relevant sign-in properties that you can retrieve using this cmdlet.

• User’s Object Id – Entra ID User’s Object ID information
• Last Sign in date and Time – This is the most recent sign-in log date and time information. The property name is called CreatedDateTime.
• User’s Display Name – Display Name information of the user. For example: Jatin Makhija
• UserPrincipalName – User Principal Name information of the user. For example jatin.makhija@cloudinfra.net
• Application Display Name: Which application is being used for Authentication? For example: When logging on to a Windows device, It will show as Windows Sign In.
• Device Id – The user will sign in from a device to authenticate to Entra ID, that device ID will be recorded in the sign-in log.
• Device Operating system – Device Operating System used for Sign-in. For example: Windows, macOS, etc.
• Device Compliance status – Compliance Status of the device. For example IsCompliant: True or False.
• Device Display Name – Device display name as it shows in Entra ID. For example Cloudinfra-net1
• Any Authentication Failure reason: If you want to find out the reason for authentication failure then you can check this information.
• IP Address – The device IP Address is also recorded in Sign-in logs which is also retrievable.
• Client App Used – To check if a thick client or thin client is used for logging on to Entra ID. This could be a Browser app or Outlook App etc. For example: Mobile Apps and Desktop clients.

1. Get the Last Login Date/Time Information from Entra admin center

To obtain the Last Login Date and Time information of users from the Entra Admin Center, please follow these steps:

• Login on Microsoft Entra admin center
• Under Identity, Go to Users > All users
• Click on a user to check the Last Login information
• Click on Sign-in logs on the left-hand side

To identify the most recent log entry, simply look at the top of the list and examine the “Date” column, which displays the timestamp of the user’s last sign-in.

2. Get the Last Login Date/Time Information Using Powershell [For One User]

As you’ve observed, it’s straightforward to check the Last Login Information for a single user through the Microsoft Entra Admin Center. However, when dealing with thousands of users, relying on the graphical user interface (GUI) for this task becomes unmanageable.

We will start by exploring how to retrieve the Last Login Information of a user using PowerShell. Then, we’ll proceed to learn how to export the Last Login information of users listed in a text file. Finally, we’ll cover how to export the Last Login information of all Entra ID users.

Before running the Get-AzureADAuditSignInLog PowerShell cmdlet, You’ll need to install the Azure AD Preview module and establish a connection to Entra ID. Let’s go over the necessary steps:

Install AzureADpreview powershell module

Install-module -name AzureADpreview

Connect to Entra ID/AzureAD

Connect-AzureAD

Fetch the Last Login date time of an Entra ID user

The following command will retrieve the last login date and time for a specific user. The “CreatedDateTime” attribute represents the timestamp of the last sign-in log, indicating when the user last connected to EntraID/M365.

Get-AzureADAuditSignInLogs -Filter "startsWith(userPrincipalName,'adelev@cloudinfra.net')" -top 1 | Select UserDisplayName, CreatedDateTime

3. Export the Last Login Date/Time Information Using Powershell [For a List of Users]

Checking the last login details for a single user with a quick PowerShell command is easy, as we’ve seen before. However, if you have a list of users and want to find out when they last logged in and save that information in a CSV file, follow these steps:

• Before running the script, ensure that you have installed the AzureADPreview module and connected to Entra ID using the Connect-AzureAD cmdlet.

• Gather the UPN of Users in a Text file. You can utilize Get-MsolUser to get UPN Information of Users.

• Don’t forget to update the $UPNlist variable with the path to your text file containing the User Principal Names (UPNs). For instance, you can set it like this:

$UPNlist = Get-Content <path_of_user_upn_text_file>

• The exported data will be saved in a file named “LastLogininfo.csv” in the “C:\temp” directory by default. If you prefer to store the report in a different location, you can modify the script accordingly.

• If a user has never logged in, the “LastLoginDate” column in the report will display “Never Logged In” to indicate that no previous login activity has been recorded for that user.

• Copy the Powershell code below and save it in a file with a .ps1 extension. For example ExportLastlogin.ps1. Execute the script to Export the data.

<#
.DESCRIPTION
    This script Export users Last Sign in date time from AzureAD.
    Copy the UPNs and provide the path of the text file in $UPNlist 
    variable.
    Author:  Jatin Makhija
    Site:    cloudinfra.net
    Version: 1.0.0
#>
$UPNlist = Get-Content C:\output\upn.txt
$object  = Foreach ($upn in $upnlist) {
  try {
      $signindata = Get-AzureADAuditSignInLogs -Filter "startsWith(userPrincipalName, '$upn')" -top 1
      if ($signindata -eq $Null)
          {
          [PSCustomobject]@{
             UserdisplayName = $upn
             LastLoginDate = "Never Logged in"
          }  
      }
      Else{
           [PSCustomobject]@{
             UserdisplayName = $signindata.UserDisplayName
             LastLoginDate = $signindata.CreatedDateTime
            }
      }
}
      Catch {
        Write-Error $_
      }
}
$object | Export-csv c:\temp\LastLogininfo.csv -NoTypeInformation

• Here is an example of a report retrieved using the above script.

4. Export the Last Login Date/Time Information Using Powershell [Of All Entra ID Users]

Earlier, we learned how to export the last login information for a list of Entra ID users into a text file. Now, we will explore how to export the last login information for all Entra ID users using the PowerShell script below. Before running this script, please take note of the following key points:

• Before running the script, ensure that you have installed the AzureADPreview module and connected to Entra ID using the Connect-AzureAD cmdlet.

• Install MSOnline Powershell module using Install-module -Name MSOnline.

• Connect to MSOnline using Connect-MsolService cmdlet.

• Exported data will be stored in C:\temp\LastLogininfo.csv file. You can change the location in the script if you want to save the report in a different location.

• If the User has never logged on then the LastLoginDate column will show as “Never Logged In“.

• Copy the Powershell code below and save it in a file with a .ps1 extension. For example ExportLastlogin.ps1. Execute the script to Export the date.

<#
.DESCRIPTION
    This script Export users Last Sign in date time from AzureAD.
    Copy the UPNs and provide the path of the text file in $UPNlist 
    variable.
    Author:  Jatin Makhija
    Site:    cloudinfra.net
    Version: 1.0.0
#>
$allUsers = Get-MsolUser -all
$object  = Foreach ($upn in $allUsers.userprincipalname) {
  try {
      $signindata = Get-AzureADAuditSignInLogs -Filter "startsWith(userPrincipalName, '$upn')" -top 1
      if ($signindata -eq $Null)
          {
          [PSCustomobject]@{
             UserdisplayName = $upn
             LastLoginDate = "Never Logged in"
          }  
      }
      Else{
           [PSCustomobject]@{
             UserdisplayName = $signindata.UserDisplayName
             LastLoginDate = $signindata.CreatedDateTime
            }
      }
}
      Catch {
        Write-Error $_
      }
}
$object | Export-csv c:\temp\LastLogininfo.csv -NoTypeInformation

More Information

1. Get-AzureADAuditSignInLogs is not recognized

You might encounter an error message when attempting to retrieve a user’s last login information using the Get-AzureADAuditSignInLogs cmdlet or when executing a script that utilizes this cmdlet. The error message you may encounter is as follows:

Get-AzureADAuditSignInLogs : The term 'Get-AzureADAuditSignInLogs' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At line:1 char:1
+ Get-AzureADAuditSignInLogs
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-AzureADAuditSignInLogs:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

The error can be resolved by following these key points and ensuring that each one is addressed:

• To resolve the error, make sure you have the AzureADPreview PowerShell module installed on your device. If it’s not already installed, you can do so by using the “Install-Module -Name AzureADPreview” command.

• In case you encounter any issues, try running the command as an administrator with the “AllowClobber” and “Force” flags like this: “Install-Module -Name AzureADPreview -AllowClobber -Force” on a PowerShell console.

• To verify whether the AzureADPreview PowerShell module has been successfully installed, you can run the following command: get-command *azureadaudit* to find out if Get-AzureADAuditSignInLogs cmdlet is available.

• It’s important to note that even if the AzureADPreview module has been installed successfully, you can still encounter the same error message if you don’t have the necessary permissions to read Entra ID sign-in logs. The error message, “Get-AzureADAuditSignInLogs is not recognized…,” may persist due to insufficient permissions to access this specific feature.

• To test and potentially resolve the issue, you can try elevating your permissions. If possible, grant yourself global administrator rights and then test if you still encounter the same error message when using the Get-AzureADAuditSignInLogs cmdlet. Often, this issue can be resolved by having the appropriate administrative privileges to access Entra ID sign-in logs.

Conclusion

In this blog post, we’ve covered the process of exporting the last login information for Entra ID users into a CSV file. Additionally, you have the option to list the last login information directly on the PowerShell console for a quick view by omitting the Export-CSV cmdlet from the script.

If you encounter any issues, please ensure that you’ve connected to AzureAD and the MSOnline service before running the script.

READ NEXT

• Export Users With Custom Security Attributes Using Powershell
• How To Assign Custom Security Attributes Using Powershell
• Manage Windows LAPS Using Powershell
• Windows Powershell Launching And Closing Abruptly
• Create A Local Admin Using Intune And Powershell