如何使用 PowerShell 按用户组获取 Azure 登录?

问题描述 投票:0回答:1

我正在尝试按安全/用户组获取过去 30 天的用户登录列表,我查看了 Azure 登录审核我只能一次按 IP、用户名过滤,想知道是否有是一种按组过滤的方法,或者如果有 powershell 脚本可以为特定用户组中的所有用户过滤超过 30 天的登录。

我尝试使用 Azure 登录,但只能按用户过滤并希望按用户组过滤,我有 powershell 脚本来列出组中的所有用户,但需要能够看到每个用户在过去 30 天内的成功登录

powershell azure-active-directory
1个回答
0
投票

我尝试了以下 Powershell 脚本:

运行脚本之前,需要有查询群组和群组成员的权限,以及读取用户的权限。

为此,我创建了一个具有所有必需权限的应用程序, 像 User.Read.All, Group.Read.All, GroupMember.Read.All 应用程序权限,当使用 AppId 时。

既然应用程序已获得所需权限,请使用应用程序ID使用以下脚本查询特定组用户30天内的登录日志。

PowerShell:

$groupusers=Get-AzureADGroupMember -ObjectId "<groupObjectId>"
$startDate = (Get-Date).AddDays(-1).ToString('o')
$endDate = (Get-Date).ToString('o')


foreach($userMember in $groupusers)
{
    $userDN = $userMember.DisplayName    
    $logs= Get-AzureADAuditSignInLogs -Filter "appId eq 'xxx'and createdDateTime ge $startDate and createdDateTime le $endDate and userDisplayName eq '$userDN'"
    $logs | select UserDisplayName,createdDateTime
}

回复:

UserDisplayName CreatedDateTime     
--------------- ---------------     
 User 1       2023-03-28T10:16:25Z
 User 2       2023-03-28T10:10:53Z
 User 1       2023-03-28T10:09:38Z
 User 1       2023-03-28T09:21:46Z
 User 2       2023-03-28T09:13:46Z
 User 2       2023-03-28T09:13:25Z
 User 1       2023-03-28T09:13:17Z
 User 1       2023-03-28T09:13:13Z
 User 3       2023-03-28T10:16:25Z

  • $logs //使用它来查询所有属性

代码:

foreach($userMember in $groupusers)
{
    $userDN = $userMember.DisplayName   
    $logs= Get-AzureADAuditSignInLogs -Filter "appId eq 'appId'and createdDateTime ge $startDate and createdDateTime le $endDate and userDisplayName eq '$userDN'"
    $logs
    $logs | select UserDisplayName,createdDateTime
}

回复:

Id                               : xxx
CreatedDateTime                  : 2023-03-28T09:13:13Z
UserDisplayName                  : MT User 1
UserPrincipalName                : xxxx
UserId                           : xxx06
AppId                            : xxx
AppDisplayName                   : appname
IpAddress                        : xxx.xxx.xxx.xxx
ClientAppUsed                    : Browser
CorrelationId                    : 4fx7dxx
ConditionalAccessStatus          : notApplied
OriginalRequestId                : c1exxx1
IsInteractive                    : True
TokenIssuerName                  : 
TokenIssuerType                  : AzureAD
ProcessingTimeInMilliseconds     : 157
RiskDetail                       : none
RiskLevelAggregated              : none
RiskLevelDuringSignIn            : none
RiskState                        : none
RiskEventTypes                   : 
ResourceDisplayName              : Microsoft Graph
ResourceId                       : 00000003-0000-0000-c000-000000000000
AuthenticationMethodsUsed        : {}
Status                           : class SignInStatus {
                                     ErrorCode: 50140
                                     FailureReason: This occurred due to 'Keep me signed in' interrupt when the user was signing in.
                                     AdditionalDetails: This is an expected part of the login flow, where a user is asked if they want to remain signed into this browser to make 
                                   further logins easier. For more details, see 
                                   https://techcommunity.microsoft.com/t5/Azure-Active-Directory/The-new-Azure-AD-sign-in-and-Keep-me-signed-in-experiences/td-p/xxx
                                   }
                                   
DeviceDetail                     : class SignInAuditLogObjectDeviceDetail {
                                     DeviceId: 
                                     DisplayName: 
                                     OperatingSystem: xx
                                     Browser: xx
                                     IsCompliant: False
                                     IsManaged: False
                                     TrustType: 
                                   }
                                   
Location                         : class SignInAuditLogObjectLocation {
                                     City: Lalapet
                                     State: Telangana
                                     CountryOrRegion: IN
                                   }
                                   
MfaDetail                        : 
AppliedConditionalAccessPolicies : {}
AuthenticationProcessingDetails  : {class AdditionalDetail {
                                     Key: Root Key Type
                                     Value: Unknown
                                   }
                                   }
NetworkLocationDetails           : {}

UserDisplayName :  User 1
CreatedDateTime : 2023-03-28T10:16:25Z

UserDisplayName : User 1
CreatedDateTime : 2023-03-28T10:10:53Z

UserDisplayName : User 1
CreatedDateTime : 2023-03-28T10:09:38Z

如果需要,可以对所有组执行以下操作:

$AllGroups=Get-AzureADGroup
foreach($group in $AllGroups )
{
    
$groupObj=$group.ObjectId   
$groupusers=Get-AzureADGroupMember -ObjectId "$groupObj"
$startDate = (Get-Date).AddDays(-1).ToString('o')
$endDate = (Get-Date).ToString('o')


foreach($userMember in $groupusers)
{
$userDN = $userMember.DisplayName

$logs= Get-AzureADAuditSignInLogs -Filter "appId eq 'xxx'and createdDateTime ge $startDate and createdDateTime le $endDate and userDisplayName eq '$userDN'"
write-host "Users belonging to group : " $group.DisplayName
write-host "  "
$logs | select UserDisplayName,createdDateTime

write-host " "

write-host "========= "
}
}

参考资料:

  1. Get-AzureADAuditSignInLogs (AzureADPreview) |微软学习
  2. 用于报告的 Azure AD PowerShell cmdlet - Microsoft Entra |微软学习
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.