Recently I got a request to check last login date and time of few Azure AD / Microsoft 365 users. This was a part of request where user’s sign-in was allowed but user’s did not sign in for a long period of time. This will help me identify if a user is an active user or not, the end goal for me is to disable those users who have not signed in for more than 6 months.
In this blog post, we will check different ways to list and export last login date time information of Azure AD users. I will be using a powershell cmdlet Get-AzureADAuditSignInLog which is a part of AzureADPreview powershell module. This cmdlet will help us retrieve sign-in logs of Azure AD users.
Using Powershell cmdlet Get-AzureADAuditSignInlog, you can export all Sign-in data for a user. I have listed some of the relevant sign-in properties which we can retrieve using this cmdlet.
- User’s Object Id – Azure AD User’s Object ID information
- Last Sign in date and Time – This is the most recent sign-in log date and time information. The property name is CreatedDateTime.
- User’s Display Name – Display Name information of the user. For example: Jatin Makhija
- UserPrincipalName – User Principal Name information of the user. For example: jatin.makhija@cloudinfra.net
- Application Display Name: Which application is being used for Authentication. For example: For Logging on to a Windows device, It will show as Windows Sign In.
- Device Id – User will sign-in from a device to authenticate to Azure AD, that device Id will be recorded in the sign-in log.
- Device Operating system – Device Operating System used for Sign-in. For example: Windows, macOS etc.
- Device Compliance status – Compliance Status of the device. For example: IsCompliant: True or False.
- Device Display Name – Device display name as it shows in Azure AD. For example: Cloudinfra-net1
- Any Authentication Failure reason: If you want to find out the reason for authentication failure then you can check this information.
- IP Address – Device IP Address is also recorded in Sign-in logs which is also retrievable.
- Client App Used – To check if a thick client or thin client is used for logging on to Azure AD. This could be a Browser app or Outlook App etc. For example: Mobile Apps and Desktop clients
Find Last Login Info of an Azure AD / Microsoft 365 User using Microsoft Entra admin center
I will be using Microsoft Entra admin center for this step. However you can also use Microsoft Azure Portal and then go to Azure Active directory to check for Sign-in logs of a user to retrieve last login date and time info. Both will provide the same interface and data.
- Login on Microsoft Entra admin center
- Under Identity, Go to Users > All users
- Click on a user to check Last Login information
- Click on Sign-in logs on the left hand side
Yo can check the most recent log which is on the top and check Date column which shows when was the last sign-in for this user.
Check Last Login Info of an Azure AD / Microsoft 365 User using Powershell
As you have seen, its easy to check Last login information for a user from Microsoft Entra admin center. However, if you want to check Last login Information for 1000’s of users then using GUI to check this information becomes an Impossible task.
We will first check how to retrieve Last login Information of a user using Powershell, then we will move on to how to export Last Login information of users which are in a text file and Finally to Export last login information of All Azure AD users.
There are few prerequisites before running Get-AzureADAuditSignInlog powershell cmdlet. You will need to Install an Azure AD Preview module first which contains this cmdlet. Then connect to Azure AD using administrator credentials which has the rights to retrieve Azure AD user’s sign in data. Let’s check the steps:
Open Powershell console as administrator and run below commands. If you already have AzureADpreview module installed on your device then you can move to the next step.
Install AzureADpreview powershell module
Install-module -name AzureADpreview
Connect to Azure Active Directory
Connect-AzureAD
Find Last Login date time of an Azure AD user using powershell
Get-AzureADAuditSignInLogs -Filter "startsWith(userPrincipalName,'adelev@cloudinfra.net')" -top 1 | Select UserDisplayName, CreatedDateTime
Export Last Login Info of list of Azure AD / Microsoft 365 Users using Powershell
Checking last login info for a single user using powershell is quick and easy using one liner command we have seen in previous section. However, If you have a list of users for which you want to check last login date and time information and export it in a CSV file then you can follow below steps:
- Make sure to Install AzureADPreview module and then Connect to Azure AD using
Connect-AzureADcmdlet first before running the script. - Get user’s UserPrincipalName’s and copy it in a text file – You can use Get-MsolUser command to retrieve User principal names of the users.
- Update $UPNlist variable and provide the path of the text file. For Example: $UPNlist = Get-Content <path of User’s UPN text file>
- Exported data will be stored in C:\temp\LastLogininfo.csv file. You can change the location in the script if you want to save the report in a different location.
- If User has never logged on then the LastLoginDate column will show as “Never Logged In“.
<#
.DESCRIPTION
This script Export users Last Sign in date time from AzureAD.
Copy the UPNs and provide the path of the text file in $UPNlist
variable.
Author: Jatin Makhija
Site: cloudinfra.net
Version: 1.0.0
#>
$UPNlist = Get-Content C:\output\upn.txt
$object = Foreach ($upn in $upnlist) {
try {
$signindata = Get-AzureADAuditSignInLogs -Filter "startsWith(userPrincipalName, '$upn')" -top 1
if ($signindata -eq $Null)
{
[PSCustomobject]@{
UserdisplayName = $upn
LastLoginDate = "Never Logged in"
}
}
Else{
[PSCustomobject]@{
UserdisplayName = $signindata.UserDisplayName
LastLoginDate = $signindata.CreatedDateTime
}
}
}
Catch {
Write-Error $_
}
}
$object | Export-csv c:\temp\LastLogininfo.csv -NoTypeInformation
Export Last Login Info of All Azure AD / Microsoft 365 Users using Powershell
Previously we saw how to export last login information for a list of Azure AD user’s in a text file. Now, we will see how to Export last login information of All Azure AD users using below powershell script. Few points to note before executing this script:
- Make sure to Install AzureADPreview module (Install-module -name AzureADpreview) and then Connect to Azure AD using
Connect-AzureADcmdlet before running the script. - Make sure to Connect Install MSOnline powershell module using
Install-module -Name MSOnlineand then Connect to MSOnline usingConnect-MsolServicecmdlet. - Exported data will be stored in C:\temp\LastLogininfo.csv file. You can change the location in the script if you want to save the report in a different location.
- If User has never logged on then the LastLoginDate column will show as “Never Logged In“.
<#
.DESCRIPTION
This script Export users Last Sign in date time from AzureAD.
Copy the UPNs and provide the path of the text file in $UPNlist
variable.
Author: Jatin Makhija
Site: cloudinfra.net
Version: 1.0.0
#>
$allUsers = Get-MsolUser -all
$object = Foreach ($upn in $allUsers.userprincipalname) {
try {
$signindata = Get-AzureADAuditSignInLogs -Filter "startsWith(userPrincipalName, '$upn')" -top 1
if ($signindata -eq $Null)
{
[PSCustomobject]@{
UserdisplayName = $upn
LastLoginDate = "Never Logged in"
}
}
Else{
[PSCustomobject]@{
UserdisplayName = $signindata.UserDisplayName
LastLoginDate = $signindata.CreatedDateTime
}
}
}
Catch {
Write-Error $_
}
}
$object | Export-csv c:\temp\LastLogininfo.csv -NoTypeInformation
Get-AzureADAuditSignInLogs is not recognized
You may get an error message when trying to retrieve last login info of a user using Get-AzureADAuditSignInLogs cmdlet or when you run a script which includes this cmdlet. Below is the error message which you may get:
Get-AzureADAuditSignInLogs : The term 'Get-AzureADAuditSignInLogs' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At line:1 char:1
+ Get-AzureADAuditSignInLogs
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AzureADAuditSignInLogs:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
The error can be easily fixed. Please go through below points and make sure to address each one to fix the issue.
- Make sure you have Installed AzureADPreview powershell module on your device. If you have Installed this module already using
Install-module -name AzureADpreviewcommand. You can also try to useInstall-module -name AzureADpreview -Allowclobber -forceon powershell console launched as administrator.
- To check and confirm if AzureADpreview Powershell module has been installed successfully. You can run
get-command *azureadaudit*to find out ifGet-AzureADAuditSignInLogscmdlet is available.
- You can still get this error message even after AzureADpreview module has been installed successfully. The error message is caused due to permission issue. If you do not have the rights to read Azure AD sign-in logs. The error message will still be the same “Get-AzureADAuditSignInLogs is not recognized…..”
- Elevate your permissions to test it and If possible, raise your admin rights to global administrator and then test if you still see the same error message.
Conclusion
In this blog post, we have seen how to export last login information for Azure AD users in a CSV file. You can also list the last login information on powershell console as well for quick view by removing Export-csv cmdlet from the script. I have created and tested this script and is working fine. If you face any issues, please check and make sure that you have connected to AzureAD and MSOnline service first.