public/Get-msgSignIns.ps1

<#
    .DESCRIPTION
    Get an audit log of authentication attempts
 
    .PARAMETER all
    Specifiy to return all logs
 
    .PARAMETER top
    Specify a number of logs to return.
 
    .EXAMPLE
    Get-msgSignIns -top 100
 
    Get only the top 100 or other specified number of available sign in logs.
 
    .EXAMPLE
    Get-msgSignIns -all
 
    Get all available sign in logs. Depending on retention this can take a very long time or never end.
 
    .NOTES
    Requires Azure AD licensing
 
    .Link
    https://github.com/TheTaylorLee/AdminToolbox
#>


function Get-msgSignIns {

    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $true, ParameterSetName = "all")][switch]$all,
        [Parameter(Mandatory = $true, ParameterSetName = "top")][int]$top
    )

    #Confirm pre-requisites are met.
    Test-MSGraphRequirements -scopes 'AuditLog.Read.All', 'Directory.Read.All' | Out-Null

    #Output sign in logs
    if ($all) {
        Get-MgAuditLogSignIn -All -Property * |
        Select-Object UserDisplayName, UserId, UserPrincipalName, UserType, AppDisplayName, AppId, AppliedConditionalAccessPolicies, AuthenticationContextClassReferences, AuthenticationDetails,
        @{ Name = "AuthenticationMethodsUsed"; Expression = { $_.AuthenticationMethodsUsed -join “; ” } },
        @{ Name = "AuthenticationProcessingDetails"; Expression = { $_.AuthenticationProcessingDetails -join “; ” } },
        AuthenticationProtocol, AuthenticationRequirement,
        @{ Name = "AuthenticationRequirementPolicies"; Expression = { $_.AuthenticationRequirementPolicies -join “; ” } },
        AutonomousSystemNumber, AzureResourceId, ClientAppUsed, ClientCredentialType, ConditionalAccessStatus, CorrelationId, CreatedDateTime, CrossTenantAccessType, DeviceDetail, FederatedCredentialId, FlaggedForReview, HomeTenantId, HomeTenantName, IPAddress, IPAddressFromResourceProvider, Id, IncomingTokenType, IsInteractive, IsTenantRestricted, Location, MfaDetail,
        @{ Name = "NetworklocationDetails"; Expression = { $_.NetworklocationDetails -join “; ” } },
        OriginalRequestId, PrivateLinkDetails, ProcessingTimeInMilliseconds, ResourceDisplayName, ResourceId, ResourceServicePrincipalId, ResourceTenantId, RiskDetail,
        @{ Name = "RiskEventTypesV2"; Expression = { $_.RiskEventTypesV2 -join “; ” } },
        RiskLevelAggregated, RiskLevelDuringSignIn, RiskState, ServicePrincipalCredentialKeyId, ServicePrincipalCredentialThumbprint, ServicePrincipalId, ServicePrincipalName,
        @{ Name = "sessionlifetimepolicies"; Expression = { $_.sessionlifetimepolicies -join “; ” } },
        @{ Name = "SignInEventTypes"; Expression = { $_.SignInEventTypes -join “; ” } },
        SignInIdentifier, SignInIdentifierType, Status, TokenIssuerName, TokenIssuerType, UniqueTokenIdentifier, UserAgent,
        AdditionalProperties
    }

    if ($top) {
        Get-MgAuditLogSignIn -top $top -Property * |
        Select-Object UserDisplayName, UserId, UserPrincipalName, UserType, AppDisplayName, AppId, AppliedConditionalAccessPolicies, AuthenticationContextClassReferences, AuthenticationDetails,
        @{ Name = "AuthenticationMethodsUsed"; Expression = { $_.AuthenticationMethodsUsed -join “; ” } },
        @{ Name = "AuthenticationProcessingDetails"; Expression = { $_.AuthenticationProcessingDetails -join “; ” } },
        AuthenticationProtocol, AuthenticationRequirement,
        @{ Name = "AuthenticationRequirementPolicies"; Expression = { $_.AuthenticationRequirementPolicies -join “; ” } },
        AutonomousSystemNumber, AzureResourceId, ClientAppUsed, ClientCredentialType, ConditionalAccessStatus, CorrelationId, CreatedDateTime, CrossTenantAccessType, DeviceDetail, FederatedCredentialId, FlaggedForReview, HomeTenantId, HomeTenantName, IPAddress, IPAddressFromResourceProvider, Id, IncomingTokenType, IsInteractive, IsTenantRestricted, Location, MfaDetail,
        @{ Name = "NetworklocationDetails"; Expression = { $_.NetworklocationDetails -join “; ” } },
        OriginalRequestId, PrivateLinkDetails, ProcessingTimeInMilliseconds, ResourceDisplayName, ResourceId, ResourceServicePrincipalId, ResourceTenantId, RiskDetail,
        @{ Name = "RiskEventTypesV2"; Expression = { $_.RiskEventTypesV2 -join “; ” } },
        RiskLevelAggregated, RiskLevelDuringSignIn, RiskState, ServicePrincipalCredentialKeyId, ServicePrincipalCredentialThumbprint, ServicePrincipalId, ServicePrincipalName,
        @{ Name = "sessionlifetimepolicies"; Expression = { $_.sessionlifetimepolicies -join “; ” } },
        @{ Name = "SignInEventTypes"; Expression = { $_.SignInEventTypes -join “; ” } },
        SignInIdentifier, SignInIdentifierType, Status, TokenIssuerName, TokenIssuerType, UniqueTokenIdentifier, UserAgent,
        AdditionalProperties
    }
}