Microsoft.Entra.Reports-Help.xml
|
<?xml version="1.0" encoding="utf-8"?>
<helpItems schema="maml" xmlns="http://msh"> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Get-EntraAuditDirectoryLog</command:name> <command:verb>Get</command:verb> <command:noun>EntraAuditDirectoryLog</command:noun> <maml:description> <maml:para>Get directory audit logs.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>The `Get-EntraAuditDirectoryLog` cmdlet gets a Microsoft Entra ID audit log.</maml:para> <maml:para>Retrieve audit logs from Microsoft Entra ID, covering logs from various services such as user, app, device, and group management, privileged identity management (PIM), access reviews, terms of use, identity protection, password management (SSPR and admin resets), and self-service group management.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-EntraAuditDirectoryLog</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>All</maml:name> <maml:description> <maml:para>List all pages.</maml:para> </maml:description> <dev:type> <maml:name>System.Management.Automation.SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="none"> <maml:name>Top</maml:name> <maml:description> <maml:para>The maximum number of records to return.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.Int32</command:parameterValue> <dev:type> <maml:name>System.Int32</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="none"> <maml:name>Filter</maml:name> <maml:description> <maml:para>The OData v4.0 filter statement. Controls which objects are returned.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Property</maml:name> <maml:description> <maml:para>Specifies properties to be returned</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String[]</command:parameterValue> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>All</maml:name> <maml:description> <maml:para>List all pages.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.Management.Automation.SwitchParameter</command:parameterValue> <dev:type> <maml:name>System.Management.Automation.SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="none"> <maml:name>Top</maml:name> <maml:description> <maml:para>The maximum number of records to return.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.Int32</command:parameterValue> <dev:type> <maml:name>System.Int32</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="none"> <maml:name>Filter</maml:name> <maml:description> <maml:para>The OData v4.0 filter statement. Controls which objects are returned.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Property</maml:name> <maml:description> <maml:para>Specifies properties to be returned</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String[]</command:parameterValue> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes /> <command:returnValues /> <maml:alertSet> <maml:alert> <maml:para>`Get-EntraAuditDirectoryLogs` is an alias for `Get-EntraAuditDirectoryLog`.</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>------------------- Example 1: Get all logs -------------------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All' Get-EntraAuditDirectoryLog -All Id ActivityDateTime ActivityDisplayName Category CorrelationId -- ---------------- ------------------- -------- ------------- Directory_aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 17/07/2024 08:55:34 Add service principal ApplicationManagement aaaa0000-bb11-2222-33cc-444444dddddd Directory_bbbbbbbb-1111-2222-3333-cccccccccccc 17/07/2024 07:31:54 Update user UserManagement bbbb1111-cc22-3333-44dd-555555eeeeee SSGM_cccccccc-2222-3333-4444-dddddddddddd 17/07/2024 07:13:08 GroupsODataV4_GetgroupLifecyclePolicies GroupManagement cccc2222-dd33-4444-55ee-666666ffffff</dev:code> <dev:remarks> <maml:para>This command gets all audit logs.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>----------------- Example 2: Get first n logs -----------------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All' Get-EntraAuditDirectoryLog -Top 1 Id ActivityDateTime ActivityDisplayName Category CorrelationId LoggedB yServic e -- ---------------- ------------------- -------- ------------- ------- Directory_aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb_8IAPT_617717139 17/07/2024 08:55:34 Add service principal ApplicationManagement aaaa0000-bb11-2222-33cc-444444dddddd Core...</dev:code> <dev:remarks> <maml:para>This example returns the first N logs.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>Example 3: Get audit logs containing a given ActivityDisplayName</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All' Get-EntraAuditDirectoryLog -Filter "ActivityDisplayName eq 'Update rollout policy of feature'" -Top 1 Id ActivityDateTime ActivityDisplayName Category CorrelationId -- ---------------- ------------------- -------- ------------- Application Proxy_aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 16/07/2024 05:13:49 Update rollout policy of feature Authentication aaaa0000-bb11-2222-33cc-444444dddddd</dev:code> <dev:remarks> <maml:para>This command shows how to get audit logs by ActivityDisplayName.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>------ Example 4: Get all audit logs with a given result ------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All' Get-EntraAuditDirectoryLog -Filter "result eq 'failure'" -All</dev:code> <dev:remarks> <maml:para>This command shows how to get audit logs by the result.</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks /> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Get-EntraAuditSignInLog</command:name> <command:verb>Get</command:verb> <command:noun>EntraAuditSignInLog</command:noun> <maml:description> <maml:para>Get audit logs of sign-ins.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>The `Get-EntraAuditSignInLog` cmdlet gets the Microsoft Entra ID sign-in log.</maml:para> <maml:para>In addition to delegated permissions, the signed-in user must belong to at least one of the following Microsoft Entra roles to read sign-in reports:</maml:para> <maml:para>- Global Reader</maml:para> <maml:para>- Reports Reader</maml:para> <maml:para>- Security Administrator</maml:para> <maml:para>- Security Operator</maml:para> <maml:para>- Security Reader</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-EntraAuditSignInLog</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Id"> <maml:name>SignInId</maml:name> <maml:description> <maml:para>Specifies unique ID of the Audit Log.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>All</maml:name> <maml:description> <maml:para>List all pages.</maml:para> </maml:description> <dev:type> <maml:name>System.Management.Automation.SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="none"> <maml:name>Top</maml:name> <maml:description> <maml:para>The maximum number of records to return.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.Int32</command:parameterValue> <dev:type> <maml:name>System.Int32</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="none"> <maml:name>Filter</maml:name> <maml:description> <maml:para>The OData v4.0 filter statement. Controls which objects are returned.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Property</maml:name> <maml:description> <maml:para>Specifies properties to be returned</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String[]</command:parameterValue> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Id"> <maml:name>SignInId</maml:name> <maml:description> <maml:para>Specifies unique ID of the Audit Log.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>All</maml:name> <maml:description> <maml:para>List all pages.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.Management.Automation.SwitchParameter</command:parameterValue> <dev:type> <maml:name>System.Management.Automation.SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="none"> <maml:name>Top</maml:name> <maml:description> <maml:para>The maximum number of records to return.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.Int32</command:parameterValue> <dev:type> <maml:name>System.Int32</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="none"> <maml:name>Filter</maml:name> <maml:description> <maml:para>The OData v4.0 filter statement. Controls which objects are returned.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>Property</maml:name> <maml:description> <maml:para>Specifies properties to be returned</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String[]</command:parameterValue> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes /> <command:returnValues /> <maml:alertSet> <maml:alert> <maml:para>`Get-EntraAuditSignInLogs` is an alias for `Get-EntraAuditSignInLog`.</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>------------------- Example 1: Get all logs -------------------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All' Get-EntraAuditSignInLog -All Id AppDisplayName AppId AppTokenProtectionStatus AuthenticationMethodsUsed AuthenticationProtocol -- -------------- ----- ------------------------ ------------------------- ---------------------- aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb Azure Active Directory PowerShell 00001111-aaaa-2222-bbbb-3333cccc4444 {} none bbbbbbbb-1111-2222-3333-cccccccccccc Azure Portal 11112222-bbbb-3333-cccc-4444dddd5555 {} none cccccccc-2222-3333-4444-dddddddddddd Azure Active Directory PowerShell 22223333-cccc-4444-dddd-5555eeee6666 {} none dddddddd-3333-4444-5555-eeeeeeeeeeee Azure Active Directory PowerShell 33334444-dddd-5555-eeee-6666ffff7777 {} none</dev:code> <dev:remarks> <maml:para>This example returns all audit logs of sign-ins.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------- Example 2: Get the first two logs --------------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All' Get-EntraAuditSignInLog -Top 2 Id AppDisplayName AppId AppTokenProtectionStatus AuthenticationMethodsUsed AuthenticationProtocol -- -------------- ----- ------------------------ ------------------------- ---------------------- aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb Azure Active Directory PowerShell 00001111-aaaa-2222-bbbb-3333cccc4444 {} none bbbbbbbb-1111-2222-3333-cccccccccccc Azure Portal 11112222-bbbb-3333-cccc-4444dddd5555 {} none</dev:code> <dev:remarks> <maml:para>This example returns the first two audit logs of sign-ins.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>- Example 3: Get audit logs containing a given AppDisplayName -</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All' Get-EntraAuditSignInLog -Filter "AppDisplayName eq 'Graph Explorer'" -Top 1 Id AppDisplayName AppId AppTokenProtectionStatus AuthenticationMethodsUsed AuthenticationProtocol -- -------------- ----- ------------------------ ------------------------- ---------------------- aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb Graph Explorer PowerShell 00001111-aaaa-2222-bbbb-3333cccc4444</dev:code> <dev:remarks> <maml:para>This example demonstrates how to retrieve sign-in logs by AppDisplayName.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------- Example 4: Get all sign-in logs between dates --------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All' Get-EntraAuditSignInLog -Filter "createdDateTime ge 2024-07-01T00:00:00Z and createdDateTime le 2024-07-14T23:59:59Z"</dev:code> <dev:remarks> <maml:para>This example shows how to retrieve sign-in logs between dates.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>---------- Example 5: List failed sign-ins for a user ----------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All' $failedSignIns = Get-EntraAuditSignInLog -Filter "userPrincipalName eq 'SawyerM@contoso.com' and status/errorCode ne 0" $failedSignIns | Select-Object UserPrincipalName, CreatedDateTime, Status, IpAddress, ClientAppUsed | Format-Table -AutoSize</dev:code> <dev:remarks> <maml:para>This example demonstrates how to retrieve failed sign-ins for a user.</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks /> </command:command> </helpItems> |