How to get Azure AD reports using Powershell?

Azure Active Directory (renamed as Entra ID) audit logs (operations) and sign-in logs (authentication data) helps you trace all changes and any sign-in activity done within Azure AD. You can retrieve the same data by using the Azure AD PowerShell cmdlets for reporting. Alternatively, you can use a comprehensive AD auditing solution like ADAudit Plus that will make things simple for you.

This article compares the method of getting Azure AD audit and sign-in logs using Windows PowerShell and ADAudit Plus.

Windows PowerShell

Steps to monitor Azure AD audit and sign-in logs using PowerShell:

To retrieve audit logs within Azure AD we can use the Get-AzureADAuditDirectoryLogs cmdlet.

Audit logs can be retrieved based on parameters such as dates, users, applications or logs containing a particular resource.

    PS C:\>Get-AzureADAuditDirectoryLogs -Filter "activityDateTime gt 2020-04-15"

    PS C:\>Get-AzureADAuditDirectoryLogs -Filter "initiatedBy/user/displayName eq 'John Doe'"

    PS C:\>Get-AzureADAuditDirectoryLogs -Filter "initiatedBy/app/displayName eq 'Office 365'"

    PS C:\>Get-AzureADAuditDirectoryLogs -Filter "targetResources/any(tr:tr/displayName eq 'Active Directory Example')"

To get reports on sign-in logs in Azure AD, the Get-AzureADAuditSignInLogs cmdlet is used.

Similar parameters such as date, user, location and log with a given status can be retrieved.

    PS C:\>Get-AzureADAuditSignInLogs -Filter "createdDateTime gt 2020-04-215"

    PS C:\>Get-AzureADAuditSignInLogs -Filter "userDisplayName eq 'John Doe'"

    PS C:\>Get-AzureADAuditSignInLogs -Filter "appDisplayName eq 'Office 365'"

    PS C:\>Get-AzureADAuditSignInLogs -Filter "location/city eq 'Pleasanton' and location/state eq 'California' and location/countryOrRegion eq 'US'"

    PS C:\>Get-AzureADAuditSignInLogs -Filter "status/errorCode eq 0 -All $true"

ADAudit Plus

To obtain the report,

Log in to the ADAudit Plus web console.
Go to the Reports tab > Azure AD Tab > User Logon Reports.
Under User Logon Reports, you will find the below mentioned reports:
- Logon Activity
- Logon Failures
- Logon Failures due to bad password
- Logon Activity by IP Address
- Hybrid Logon Activity
- Logon Activity by Applications Each of these reports can be further filtered as per your needs.
Select the domain.
Select Export as to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX).

Screenshot:

The following are the limitations of using Windows PowerShell to generate Azure AD audit and sign-in logs:

We can run the above script only from the computers which have Active Directory Domain Services role.
To change date formats and to apply different time zones on the date results, the script has to be modified or created each time.
It's difficult to export the report in other formats.
Applying more filters, like 'During business hours', 'Period', and 'Export as' will increase the LDAP query complexity.

ADAudit Plus on the other hand will swiftly generate reports by scanning all the DCs and these reports can be exported in multiple formats.

Avoid complex PowerShell-scripting, and simplify AD change auditing with ADAudit Plus.
By clicking 'Get Your Free Trial', you agree to processing of personal data according to the Privacy Policy.
Thanks!
Your download is in progress and it will be completed in just a few seconds! If you face any issues, download manually here.

Active Directory auditing

Windows file auditing

NAS device file auditing

Windows server auditing

Workstation auditing

Entra ID auditing

All features →

Help documents

Video zone

Webinars

Product brochures

Case studies

E-books

Awards zone

Study

How tos

Best practices

How to get Azure AD reports using Powershell?

Windows PowerShell

Steps to monitor Azure AD audit and sign-in logs using PowerShell:

ADAudit Plus

To obtain the report,

Related Resources

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

A single pane of glass for complete Active Directory Auditing and Reporting