PowerShell: Export Last Login Date of Entra ID Users

Photo of author
Jatin Makhija
0

Recently, I got a task to find the most recent sign-in information of all Entra ID/Microsoft 365 users in my organization and export it in a CSV file. Using this report, we wanted to get a list of users who have not connected to Entra ID or used any Microsoft 365 services for a long time and deactivate their account. The scenario could be different in your case, however this report is really useful to list inactive users.

In this blog post, we will explore different methods for listing and exporting Entra ID users last login date and time information. We will use GUI method and also powershell cmdlets like Get-AzureADAuditSignInLogs, included in AzureADPreview PS module. This cmdlet enables us to fetch the sign-in logs of Entra ID users.

Powershell cmdlet Get-AzureADAuditSignInLogs can export all Sign-in data for an Entra ID user. I have listed some of the relevant sign in data we can retrieve for a user:

  • User’s Object Id – Entra ID User’s Object ID information.
  • Last Sign-in Date and Time – This is the most recent sign-in log date and time information. The property name is CreatedDateTime.
  • User’s Display Name – Users display name.
  • UserPrincipalName – User Principal Name information of the user. For example jatin.makhija@cloudinfra.net
  • Application Display Name: Which application is being used for Authentication? For example: When logging on to a Windows device, It will show as Windows Sign In.
  • Device ID – The user will sign in from a device to authenticate to Entra ID; that device ID will be recorded in the sign-in log.
  • Device Operating system – Device Operating System is used for sign-in. For example: Windows, macOS, etc.
  • Device Compliance status – Compliance Status of the device. For example, IsCompliant: True or False.
  • Device Display Name – Device display name as it shows in Entra ID. For example Cloudinfra-net1
  • Any Authentication Failure Reason: If you want to find out the reason for an authentication failure, you can check this information.
  • IP Address – The device IP Address is also recorded in sign-in logs and retrievable.
  • Client App Used – Check if a thick or thin client is used to log on to Entra ID. This could be a Browser app, Outlook app, Mobile app, or Desktop client.

1. Get Last Login Date/Time from Entra admin center

To obtain the last login date and time information from Entra admin center, please follow these steps:

  • Sign in to the Entra admin center > Users > All users.
  • Click on the the user for which you want to find Sign-in information.
  • Click on Sign-in logs on the left-hand side.
  • To identify the most recent log entry, look at the top of the list and check the Date column, which displays the user’s last sign-in date-timestamp.
Get the Last Login Date/Time Information from Entra admin center
Get the Last Login Date/Time Information from Entra admin center

2. Get Last Login Date/Time Using Powershell [For One Entra ID User]

Checking the Last Login Information for one single Entra ID user through the Entra admin center is straightforward. However, GUI is not the fastest way to get the data. Therefore, we will now retrieve last login date and time information for a user using Powershell.

Before running Get-AzureADAuditSignInLogs PowerShell cmdlet, you must install the Azure AD Preview PS module and connect to Entra ID. Let’s check the steps:

Install AzureADpreview powershell module

Install-module -name AzureADpreview -Scope CurrentUser

Connect to Entra ID/AzureAD

Connect-AzureAD

Get the Last Login date time of an Entra ID user

To get the last login date and time of an Entra ID user, use below powershell command. Replace the userprincipalname (UPN) value to your organization user’s UPN value and execute the command. You will get UserDisplayName and CreatedDateTime values. CreatedDateTime value represents User’s Sign in date/timestamp.

Get the Last Login date time of an Entra ID user

Get-AzureADAuditSignInLogs -Filter "startsWith(userPrincipalName,'adelev@cloudinfra.net')" -top 1 | Select UserDisplayName, CreatedDateTime
Get the Last Login Date/Time Information Using Powershell
Get the Last Login Date/Time Information Using Powershell

3. Export Last Login Date/Time of Entra ID Users to CSV Using Powershell [For a List of Users]

Checking the last login details for a single user with a quick PowerShell command is easy. You can also fetch the last login date and time information for a list of users in a text file. I have created a powershell script which will loop through each user given in a text file and fetch the sign-in data. In the end, it will export the data in a CSV file.

  • Before running the script, ensure you have installed the AzureADPreview module and connected to Entra ID using the Connect-AzureAD cmdlet.
  • Gather users UPN in a text file. You can utilize Get-MsolUser to get user UPN information.
  • Update $UPNlist variable in the script to point to the path of the text file containing users UPN information. For example:

$UPNlist

$UPNlist = Get-Content <path_of_user_upn_text_file>
  • By default, the exported data is saved in a file named LastLogininfo.csv in the C:\temp directory. However, you can modify the script to store the report in a different location.
  • If a user has never logged in, the lastlogindate column in the report will display Never Logged In to indicate that no previous login activity has been recorded for that user.
  • Copy below powershell code and save it in a file with a .ps1 extension, for example, ExportLastlogin.ps1. Then, execute the script to Export the data.

ExportLastlogin.ps1

<#
.DESCRIPTION
    This script Export users Last Sign in date time from AzureAD.
    Copy the UPNs and provide the path of the text file in $UPNlist 
    variable.
    Author:  Jatin Makhija
    Site:    cloudinfra.net
    Version: 1.0.0
#>
$UPNlist = Get-Content C:\output\upn.txt
$object  = Foreach ($upn in $upnlist) {
  try {
      $signindata = Get-AzureADAuditSignInLogs -Filter "startsWith(userPrincipalName, '$upn')" -top 1
      if ($signindata -eq $Null)
          {
          [PSCustomobject]@{
             UserdisplayName = $upn
             LastLoginDate = "Never Logged in"
          }  
      }
      Else{
           [PSCustomobject]@{
             UserdisplayName = $signindata.UserDisplayName
             LastLoginDate = $signindata.CreatedDateTime
            }
      }
}
      Catch {
        Write-Error $_
      }
}
$object | Export-csv c:\temp\LastLogininfo.csv -NoTypeInformation
  • Here is an example of a report retrieved using the above script.
Export the Last Login Date/Time Information Using Powershell
Export the Last Login Date/Time Information Using Powershell

4. Export Last Login Date/Time to CSV Using Powershell [for All Entra ID Users]

In the previous section, we have learnt the steps to export last login date and time stamp information for a list of Entra ID users given in a text file. Now, we will export this information for All Entra ID users using a powershell script. There are no changes required in the script, but there are some important steps you need to take before executing the script.

  • Before running the script, ensure you have installed the AzureADPreview module and connected to Entra ID using the Connect-AzureAD cmdlet.
  • Install MSOnline Powershell module using Install-module -Name MSOnline.
  • Connect to MSOnline using Connect-MsolService cmdlet.
  • Exported data will be stored in C:\temp\LastLogininfo.csv file. You can change the location in the script if you want to save the report in a different location.
  • If the User has never logged on, the LastLoginDate column will show Never Logged In.
  • Copy below powershell code and save it in a file with a .ps1 extension, for example, ExportLastlogin.ps1. Then, execute the script to Export the date.

ExportLastlogin.ps1

<#
.DESCRIPTION
    This script Export users Last Sign in date time from AzureAD.
    Copy the UPNs and provide the path of the text file in $UPNlist 
    variable.
    Author:  Jatin Makhija
    Site:    cloudinfra.net
    Version: 1.0.0
#>
$allUsers = Get-MsolUser -all
$object  = Foreach ($upn in $allUsers.userprincipalname) {
  try {
      $signindata = Get-AzureADAuditSignInLogs -Filter "startsWith(userPrincipalName, '$upn')" -top 1
      if ($signindata -eq $Null)
          {
          [PSCustomobject]@{
             UserdisplayName = $upn
             LastLoginDate = "Never Logged in"
          }  
      }
      Else{
           [PSCustomobject]@{
             UserdisplayName = $signindata.UserDisplayName
             LastLoginDate = $signindata.CreatedDateTime
            }
      }
}
      Catch {
        Write-Error $_
      }
}
$object | Export-csv c:\temp\LastLogininfo.csv -NoTypeInformation

More Information

1. Get-AzureADAuditSignInLogs is not recognized

You might encounter an error message when retrieving user’s last login information using the Get-AzureADAuditSignInLogs cmdlet or when executing a script that utilizes this cmdlet. The error message you may encounter is as follows:

Get-AzureADAuditSignInLogs : The term 'Get-AzureADAuditSignInLogs' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At line:1 char:1
+ Get-AzureADAuditSignInLogs
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-AzureADAuditSignInLogs:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Please find below guidance on resolving this error:

  • To resolve the error, install the AzureADPreview PowerShell module on your device. If it’s not already installed, use the Install-module -name AzureADpreview -Scope CurrentUser command.
  • If you encounter any issues, try running the command as an administrator with the -AllowClobber and Force flags like this: Install-Module -Name AzureADPreview -AllowClobber -Force on a PowerShell console.
Get-AzureADAuditSignInLogs is not recognized
Get-AzureADAuditSignInLogs is not recognized
  • To verify whether the AzureADPreview PowerShell module has been successfully installed, run the following command: get-command *azureadaudit* to find out if Get-AzureADAuditSignInLogs cmdlet is available.
  • It’s important to note that even if the AzureADPreview module has been installed successfully, you can still encounter the same error message if you don’t have the necessary permissions to read Entra ID sign-in logs. The error message, Get-AzureADAuditSignInLogs is not recognized may persist due to insufficient permissions to access this specific feature.
  • You can try elevating your permissions to resolve this issue. If possible, grant yourself global administrator rights and test if you still encounter the same error message when using the Get-AzureADAuditSignInLogs cmdlet. Often, this issue can be resolved by having the appropriate administrative privileges to access Entra ID sign-in logs.
Get-AzureADAuditSignInLogs is not recognized
Get-AzureADAuditSignInLogs is not recognized

Conclusion

In this blog post, we’ve covered the steps for exporting the last login information for Entra ID users into a CSV file. You can also list the last login information directly on the PowerShell console for a quick view by removing/commenting Export-CSV cmdlet in the script.

If you encounter any issues, please ensure you’ve connected to AzureAD and the MSOnline service before running the script.

Leave a Comment

Comprehensive Step-by-Step Guides: SetUp/Troubleshooting/Configuring Solutions for Intune, Microsoft 365, Windows 365, PowerShell, Windows, Azure, and other Cloud Technologies.

About the author
Contact Us
Privacy Policies
Comment Policies
Cookie Policies

Enter your email address to subscribe to this blog and receive notifications of new posts by email.