我正在尝试按安全/用户组获取过去 30 天的用户登录列表,我查看了 Azure 登录审核我只能一次按 IP、用户名过滤,想知道是否有是一种按组过滤的方法,或者如果有 powershell 脚本可以为特定用户组中的所有用户过滤超过 30 天的登录。
我尝试使用 Azure 登录,但只能按用户过滤并希望按用户组过滤,我有 powershell 脚本来列出组中的所有用户,但需要能够看到每个用户在过去 30 天内的成功登录
我尝试了以下 Powershell 脚本:
运行脚本之前,需要有查询群组和群组成员的权限,以及读取用户的权限。
为此,我创建了一个具有所有必需权限的应用程序, 像 User.Read.All, Group.Read.All, GroupMember.Read.All 应用程序权限,当使用 AppId 时。
既然应用程序已获得所需权限,请使用应用程序ID使用以下脚本查询特定组用户30天内的登录日志。
PowerShell:
$groupusers=Get-AzureADGroupMember -ObjectId "<groupObjectId>"
$startDate = (Get-Date).AddDays(-1).ToString('o')
$endDate = (Get-Date).ToString('o')
foreach($userMember in $groupusers)
{
$userDN = $userMember.DisplayName
$logs= Get-AzureADAuditSignInLogs -Filter "appId eq 'xxx'and createdDateTime ge $startDate and createdDateTime le $endDate and userDisplayName eq '$userDN'"
$logs | select UserDisplayName,createdDateTime
}
回复:
UserDisplayName CreatedDateTime
--------------- ---------------
User 1 2023-03-28T10:16:25Z
User 2 2023-03-28T10:10:53Z
User 1 2023-03-28T10:09:38Z
User 1 2023-03-28T09:21:46Z
User 2 2023-03-28T09:13:46Z
User 2 2023-03-28T09:13:25Z
User 1 2023-03-28T09:13:17Z
User 1 2023-03-28T09:13:13Z
User 3 2023-03-28T10:16:25Z
代码:
foreach($userMember in $groupusers)
{
$userDN = $userMember.DisplayName
$logs= Get-AzureADAuditSignInLogs -Filter "appId eq 'appId'and createdDateTime ge $startDate and createdDateTime le $endDate and userDisplayName eq '$userDN'"
$logs
$logs | select UserDisplayName,createdDateTime
}
回复:
Id : xxx
CreatedDateTime : 2023-03-28T09:13:13Z
UserDisplayName : MT User 1
UserPrincipalName : xxxx
UserId : xxx06
AppId : xxx
AppDisplayName : appname
IpAddress : xxx.xxx.xxx.xxx
ClientAppUsed : Browser
CorrelationId : 4fx7dxx
ConditionalAccessStatus : notApplied
OriginalRequestId : c1exxx1
IsInteractive : True
TokenIssuerName :
TokenIssuerType : AzureAD
ProcessingTimeInMilliseconds : 157
RiskDetail : none
RiskLevelAggregated : none
RiskLevelDuringSignIn : none
RiskState : none
RiskEventTypes :
ResourceDisplayName : Microsoft Graph
ResourceId : 00000003-0000-0000-c000-000000000000
AuthenticationMethodsUsed : {}
Status : class SignInStatus {
ErrorCode: 50140
FailureReason: This occurred due to 'Keep me signed in' interrupt when the user was signing in.
AdditionalDetails: This is an expected part of the login flow, where a user is asked if they want to remain signed into this browser to make
further logins easier. For more details, see
https://techcommunity.microsoft.com/t5/Azure-Active-Directory/The-new-Azure-AD-sign-in-and-Keep-me-signed-in-experiences/td-p/xxx
}
DeviceDetail : class SignInAuditLogObjectDeviceDetail {
DeviceId:
DisplayName:
OperatingSystem: xx
Browser: xx
IsCompliant: False
IsManaged: False
TrustType:
}
Location : class SignInAuditLogObjectLocation {
City: Lalapet
State: Telangana
CountryOrRegion: IN
}
MfaDetail :
AppliedConditionalAccessPolicies : {}
AuthenticationProcessingDetails : {class AdditionalDetail {
Key: Root Key Type
Value: Unknown
}
}
NetworkLocationDetails : {}
UserDisplayName : User 1
CreatedDateTime : 2023-03-28T10:16:25Z
UserDisplayName : User 1
CreatedDateTime : 2023-03-28T10:10:53Z
UserDisplayName : User 1
CreatedDateTime : 2023-03-28T10:09:38Z
如果需要,可以对所有组执行以下操作:
$AllGroups=Get-AzureADGroup
foreach($group in $AllGroups )
{
$groupObj=$group.ObjectId
$groupusers=Get-AzureADGroupMember -ObjectId "$groupObj"
$startDate = (Get-Date).AddDays(-1).ToString('o')
$endDate = (Get-Date).ToString('o')
foreach($userMember in $groupusers)
{
$userDN = $userMember.DisplayName
$logs= Get-AzureADAuditSignInLogs -Filter "appId eq 'xxx'and createdDateTime ge $startDate and createdDateTime le $endDate and userDisplayName eq '$userDN'"
write-host "Users belonging to group : " $group.DisplayName
write-host " "
$logs | select UserDisplayName,createdDateTime
write-host " "
write-host "========= "
}
}
参考资料: