ConditionalAccessAudit

1.1

ConditionalAccessAudit.psm1

                                <#

.SYNOPSIS

    Gets interactive and noninteractive user sign ins and lists them by conditional access policy.

.DESCRIPTION

    This command will return sign in logs from Graph API for user singin events. You can enter the CA Policy ID and/or the CA Policy result and how many days back you'd like to go (up to 30). The default amount of objects returned is 1000 but the "All" switch can be used to return all sign in events from the date range, regardless of how many. WARNING: Using 'All' can take a very long time.

.PARAMETER All

    Returns all sign in events matching the filter criteria instead of the default 1000. WARNING: This could take a very long time depending on sign-in activity frequency.

.EXAMPLE

    PS C:\>$signins = Get-UserSignInsByConditionalAccessIdAndResult -days 10

    Returns up to 1000 sign in events from the past 10 days.

#>

function Get-ConditionalAccessAudit {

    [CmdletBinding()]

    param (

        [Parameter(Mandatory = $false)]

        [ValidateRange(1, 30)]

        [int]$Days

    )

    Connect-MgGraph -Scopes AuditLog.Read.All > $null

    Select-MgProfile -Name "beta"

    $eventTypeFilter = "(signInEventTypes/any(t:t eq 'nonInteractiveUser') or signInEventTypes/any(t:t eq 'InteractiveUser'))"

    if ($PSBoundParameters.ContainsKey('days')) {

        $dateFilter = " and (createdDateTime ge " + (get-date).addDays(-$days).ToString('yyyy-MM-ddTHH:mmZ') + " and createdDateTime lt " + (get-date).ToString('yyyy-MM-ddTHH:mmZ') + ")"

    }

    $filter = $eventTypeFilter + $dateFilter

    if ($all) {

        $signIns = Get-MgAuditLogSignIn -Filter $filter -All

    }

    $signIns = Get-MgAuditLogSignIn -Filter $filter

    Disconnect-MgGraph

    $results = $signins

    $results | Add-Member -Name 'CA_Id' -MemberType NoteProperty -Value $null -Force

    $results | Add-Member -Name 'CA_DisplayName' -MemberType NoteProperty -Value $null -Force

    $results | Add-Member -Name 'CA_Result' -MemberType NoteProperty -Value $null -Force

    $results | Add-Member -Name 'CA_ConditionsNotSatisfied' -MemberType NoteProperty -Value $null -Force

    $results | Add-Member -Name 'CA_ConditionsSatisfied' -MemberType NoteProperty -Value $null -Force

    $formattedResults = @()

    foreach ($result in $results) {

        foreach ($appliedCAPolicy in $result.AppliedConditionalAccessPolicies) {

            $result.CA_ConditionsNotSatisfied = $appliedCAPolicy.ConditionsNotSatisfied

            $result.CA_ConditionsSatisfied = $appliedCAPolicy.ConditionsSatisfied

            $result.CA_DisplayName = $appliedCAPolicy.DisplayName

            $result.CA_Result = $appliedCAPolicy.Result

            $result.CA_Id = $appliedCAPolicy.Id

            $formattedResults += $result | select *

        }

    }

    return $formattedResults

}

Export-ModuleMember Get-ConditionalAccessAudit