Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get-MgBetaAuditLogSignIn not returning non-interactive signins #2753

Closed
sarta-vestas opened this issue May 22, 2024 · 6 comments
Closed

Get-MgBetaAuditLogSignIn not returning non-interactive signins #2753

sarta-vestas opened this issue May 22, 2024 · 6 comments
Labels
Blocked type:bug A broken experience

Comments

@sarta-vestas
Copy link

Describe the bug

The cmdlet Get-MgBetaAuditLogSignIn has stopped returning any results for non-interactive signins:

Get-MgBetaAuditLogSignIn -Filter "(signInEventTypes/any(t: t ne 'interactiveUser'))" -Sort "createdDateTime DESC" -Top 10

Expected behavior

It is expected to have results, the same way it has been working up until know...
https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.beta.reports/get-mgbetaauditlogsignin?view=graph-powershell-beta#example-3-retrieve-the-first-10-sign-ins-where-the-signineventtype-is-not-interactiveuser-starting-with-the-latest-sign-in

How to reproduce

Get-MgBetaAuditLogSignIn -Filter "(signInEventTypes/any(t: t ne 'interactiveUser'))" -Sort "createdDateTime DESC" -Top 10

SDK Version

2.19.0

Latest version known to work for scenario above?

No response

Known Workarounds

The same works using invoke-mggraphrequest

Debug output

Click to expand log ``` 
</details>


### Configuration

Windows
Powershell 5.1

### Other information

_No response_
@sarta-vestas sarta-vestas added status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience labels May 22, 2024
@SeniorConsulting
Copy link

Hi Sarta-vestas

I remember trying this a few years ago, and it didn't work for non-interactive logs. I don't think this has been updated to include non-interactive logs (when I look at the API itself):
https://learn.microsoft.com/en-us/graph/api/signin-get?view=graph-rest-1.0&tabs=http

Sign-ins that are interactive in nature (where a username/password is passed as part of auth token) and successful federated sign-ins are currently included in the sign-in logs.

@SeniorConsulting
Copy link

The way I worked around this historically was to ingest the non-interactive logs into a log analytics workspace, and then use KQL to query that. There may be more clever ways to do this, but the reason for sharing is because I seem to recall having the same issue, and came to this solution.

After connecting to Az, I went ahead and did the following:

Set-AzContext -Subscription "MySubscriptionName"
$WorkspaceName = "The Name of my log analytics workspace"
$WorkspaceRG = "The name of the resource group which my LAW is in"
$WorkspaceID = (Get-AzOperationalInsightsWorkspace -Name $workspaceName -ResourceGroupName $workspaceRG).CustomerID

$NonInteractiveQuery = "AADNonInteractiveUserSignInLogs
| summarize Count=count() by UserPrincipalName"

$NonInteractiveResults = (Invoke-AzOperationalInsightsQuery -WorkspaceId $WorkspaceID -Query $NonInteractiveQuery).results

Obviously, that query is rather specific to me, where I was wanting to see how many times each person was signing in, so you'd need to use a KQL query which works for you. Or, there may yet be another solution available. I just figured I would give at least one alternative :)

@sarta-vestas
Copy link
Author

Thanks for the comments.

But I must say that this has worked for several months and it is only recently that has stopped working. See others experiencing the same for example here: https://www.reddit.com/r/Office365/comments/1cxcd6g/microsoft_graph_changes_in_beta_functions/

I know this is the Beta but it is even documented by Microsoft.

@petrhollayms petrhollayms added Blocked and removed status:waiting-for-triage An issue that is yet to be reviewed or assigned labels May 27, 2024
@noodlemctwoodle
Copy link

I have tested this using Invoke-RequestMethod and I am unable to return any records that are not interactiveUser

"signInEventTypes": [
    "interactiveUser"
],

I have tested both with and without filtering.

$filter = "?`$filter=(signInEventTypes/any(t: t ne 'interactiveUser'))"

$EntraUri = $baseUri + "/beta/auditLogs/signins"# + $filter

$headers = @{
    Authorization = "Bearer $accessToken"
}

$response = Invoke-RestMethod -Uri $EntraUri -Headers $headers -Method Get
$response.value `
  | Select-Object createdDateTime, userPrincipalName,authenticationRequirement, appDisplayName, clientAppUsed, resourceId, signInEventTypes `
  | ConvertTo-Json 
  | Out-File "C:\temp\LogsauditLogs.json"

This doesn't appear to work in Microsoft Graph Explorer either. :(

@sarta-vestas
Copy link
Author

That works totally fine on my end.
And actually I can see Get-MgBetaAuditLogSignIn -Filter "(signInEventTypes/any(t: t ne 'interactiveUser'))" has started to work again as well...

@noodlemctwoodle
Copy link

noodlemctwoodle commented May 30, 2024
edited
Loading

That works totally fine on my end. And actually I can see Get-MgBetaAuditLogSignIn -Filter "(signInEventTypes/any(t: t ne 'interactiveUser'))" has started to work again as well...

I believe a fix was rolled out by the Graph Team, I can also confirm it is working for me today.

Get-MgBetaAuditLogSignIn -Filter "(signInEventTypes/any(t: t eq 'nonInteractiveUser'))" -top 1 | fl

@weyCC81 weyCC81 mentioned this issue Aug 12, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Blocked type:bug A broken experience
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@noodlemctwoodle @SeniorConsulting @petrhollayms @sarta-vestas