Category: Graph

Checking Sign-in logs in Azure AD using Microsoft Graph API

In a previous post we went through configuring and connecting to Microsoft Graph API.

In this post we will going through querying sign-in logs.

Connecting to Microsoft GraphAPI Using PowerShell – TheSleepyAdmins

We have been trying to audit guest account activity and sign-in logs are the only way I have been able to find if these account’s have been active for the last 30 days. Instead of manually filtering sign-in logs from Azure AD I want to automate this using Graph.

To query sign-in logs the below API permission are required. since we are using client secret we only require Application permission.

Below is the link to the Microsoft doc I used for getting info on listing sign-ins.

List signIns – Microsoft Graph v1.0 | Microsoft Docs

Permission typePermissions (from least to most privileged)
Delegated (work or school account)AuditLog.Read.All and Directory.Read.All
Delegated (personal Microsoft account)Not supported
ApplicationAuditLog.Read.All and Directory.Read.All

Next step was to run the command to get to the access token for connecting to Microsoft Graph this is covered in the previous post so we won’t be going over that here.

To connect to the sign-in Graph use the below Url

https://graph.microsoft.com/v1.0/auditLogs/signIns

Below is the command to connect and view all sign-in logs data

$LoginUrl = "https://graph.microsoft.com/v1.0/auditLogs/signIns"
(Invoke-RestMethod -Headers @{Authorization = "Bearer $($token)"} -Uri $LoginUrl -Method Get).value

This will return all the default values for each sign-in log.

This image has an empty alt attribute; its file name is image-58.png

We only wanted to have Displayname,UPN,IP,App used and date the log was created. We also wanted to only have Logs that where created in the last 30 days. 

$LoginUrl = "https://graph.microsoft.com/v1.0/auditLogs/signIns"(Invoke-RestMethod -Headers @{Authorization = "Bearer $($token)"} -Uri $LoginUrl -Method Get).value | Select-Object userDisplayName,userPrincipalName,ipAddress,clientAppUsed,createdDateTime | Where-Object {$_.userPrincipalName -notlike "*DomainName.com" -and $_.createdDateTime -gt "2020-09-29"}

Below is the results from the above query.

Now that we have the query, we can either run the query manually or in my case I will be setting up a script to run in a scheduled task to export this data.

Connecting to Microsoft GraphAPI Using PowerShell

Recently I have been looking to use Microsoft Graph to query specific information for Microsoft 365 services.

Microsoft Graph is an development tool that connects to multiple Microsoft 365 services to allow querying data and automate tasks.

There are a few steps required to start using Graph which involves creating a app registration on Azure to issue authentication tokens and API permission to view data.

Use the Microsoft Graph API – Microsoft Graph | Microsoft Docs

I also used a blog post by AlexAsplund on adamtheautomator as this was very good at explaining the process and goes more in depth.

Using the Microsoft Graph API with PowerShell (adamtheautomator.com)

In this post we will be going through configuring the app registration and query some data from Azure AD.

First step is to logon to the Azure portal > Azure AD > App registration and click on New registration.

Give the app a name and specify the support account type in this case we only want account from our tenant.

Once completed, we should now see the app has been created.

Next step we need to configure the API permissions, depending on the type of access required we will use either delegated or application permission as some data can only be access by either permission types.

below is a extract from the Microsft Docs on permission types

Microsoft identity platform developer glossary | Microsoft Docs

permissions

client application gains access to a resource server by declaring permission requests. Two types are available:

  • “Delegated” permissions, which specify scope-based access using delegated authorization from the signed-in resource owner, are presented to the resource at run-time as “scp” claims in the client’s access token.
  • “Application” permissions, which specify role-based access using the client application’s credentials/identity, are presented to the resource at run-time as “roles” claims in the client’s access token.

To assign permission go to the app registration we created earlier and go to API permissions > Add a permission and select Microsoft Graph.

To check which permissions are required I used the below Microsoft Docs .

Microsoft Graph permissions reference – Microsoft Graph | Microsoft Docs

Select the permission type and the required permission in this case I want to be able to read groups, users and directory so.

Once the required permissions are added if they required admin permission those will need to be granted using the grant admin consent option below.

There are many different way’s to connect to Microsoft Graph but in this post we will be using client secret.

We will need the application ID

We will create a client secret

Give the client secret a name and set the expire in this case we will use 1 year.

There should now be client secret and the value is used to authenticate. (Take note of the value and save in secure location like a password vault or Azure Key vault as once you leave the app blade the value will be hidden and if you lose, it will have to be recreated.)

Once we have the above configured we can connect to GraphApi to generate a token. We will used Invoke-RestMethod.

The secret can be hardcoded but I decided to use read-host so that I could add the secret manually, as it’s not recommend to have any password/secret hardcoded in script.

Below is the command I used to get the token. 

$ApplicationID = ""
$TenatDomainName = ""
$AccessSecret = Read-Host "Enter Secret"


$Body = @{    
Grant_Type    = "client_credentials"
Scope         = "https://graph.microsoft.com/.default"
client_Id     = $ApplicationID
Client_Secret = $AccessSecret


$ConnectGraph = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenatDomainName/oauth2/v2.0/token" `
-Method POST -Body $Body

$token = $ConnectGraph.access_token

To verify we have a token run the variable $ConnectGraph to view.

Now that we have a token we can run a queries against GraphAPI.

Below we will be running a query for Azure AD groups and selecting display name. 

$GrapGroupUrl = 'https://graph.microsoft.com/v1.0/Groups/'
(Invoke-RestMethod -Headers @{Authorization = "Bearer $($token)"} -Uri $GrapGroupUrl -Method Get).value.displayName

To view some examples we can use Graph Explorer.

Graph Explorer – Microsoft Graph

In a future post we will be going through more query’s and automating tasks using GraphAPI.