The following Azure Active Directory PowerShell script will generate a table that shows which user logged in and from were to Azure and Microsoft 365.
Azure AD Audit Signin
The report is based on the Azure AD sign-ins report, which is available from the Azure AD portal. I decided to make this report available using PowerShell.
PowerShell Script
By default, the report will display all the users that logged in, in the past 24 hours and will display, User Display Name, UPN, City, State and Region. This report can help detect login events from suspicious locations in case some user details have been compromised.
Before you run the script, Make sure you have the Azure AD PowerShell module running on PowerShell 5.1. Login using connect-azuread and run the script.
$SetDate = (Get-Date).AddDays(-1); $SetDate = Get-Date($SetDate) -format yyyy-MM-dd
$array = Get-AzureADAuditSignInLogs -Filter "createdDateTime gt $SetDate"
$data =@()
foreach($item in $array)
{
$row = "" | Select-Object User,UPN,City,State,Region
$row.user = $item.UserDisplayName
$row.upn = $item.UserPrincipalName
$row.city = $item.Location.City
$row.state = $item.Location.State
$row.region = $item.Location.CountryOrRegion
$data += $row
}
$data | Format-Table -AutoSize