Thank you Tony!! 😉

The Status gives a value like this:

$lastsignin.status

AdditionalDetails ErrorCode FailureReason
—————– ——— ————-
MFA requirement satisfied by claim in the token 0 Other.

I think you’ll have to interpret the ErrorCode and output a value like Success, Failed, or Interrupted depending on its value.

Date: xxx
Request ID: xxx-xxx-xxx-xxx-xxx
Correlation ID: xxx-xxx-xxx-xxx-xxx
Authentication requirement :xxx
Status: Success
Continuous access evaluation: No

Even though the Get-MgAuditLogSignIn cmdlet returned the “Status”, I only see the errorCode, failureReason and additionalDetails fields and none of them returned the actual status (Success | Failed | Interrupted).

Is it possible to return the Status of each Sign In the same way I get it from the Azure Sign In Logs portal?

Thanks!

The location for the sign-in is returned in

$lastSignIn.Location

City CountryOrRegion State
—- ————— —–
Dublin IE Dublin

Add whatever property you want to the set included in the report and the job is done.

Thank you for the amazing work.

I’d like to know how can I add the Location to the script.

I’m not sure the API supports retrieval for non-interactive sign-ins. At least, I haven’t seen any documentation to that effect. It looks as if the Get-MgAuditLogSignin cmdlet requires a user id https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.reports/get-mgauditlogsignin?view=graph-powershell-beta

[array]$LastSignIn = Get-MgAuditLogSignIn -Filter “UserId eq ‘$($User.Id)'” -Top 1

Looking at $LastSignIn.AdditionalProperties[“uniqueTokenIdentifier”], I think you’ll see a token if modern authentication. It’s kind of hard for me to know because none of the clients in my tenant use basic authentication.