{"id":225,"date":"2025-08-14T03:55:15","date_gmt":"2025-08-14T02:55:15","guid":{"rendered":"https:\/\/www.stevenhodson.com\/?p=225"},"modified":"2025-08-14T04:02:55","modified_gmt":"2025-08-14T03:02:55","slug":"powershell-download-entra-id-sign-in-logs","status":"publish","type":"post","link":"https:\/\/www.stevenhodson.com\/?p=225","title":{"rendered":"PowerShell – Download Entra ID Sign-In Logs"},"content":{"rendered":"\n

This requires Entra ID P1 licensing to work. The first method is manual and requires you to authenticate each time you want to download the logs. You can tweak the output as needed.<\/p>\n\n\n\n

\n\n
1
2
3
4
5
<\/div><\/td>
Connect-MgGraph -TenantId &lt;TenantID>  -Scopes "AuditLog.Read.All"
\n
\n$logs = Get-MgAuditLogSignIn -All | Select-Object CreatedDateTime, AppDisplayName, ClientAppUsed, ConditionalAccessStatus,  @{Name="DeviceName";Expression={$_.DeviceDetail.DisplayName}}, UserDisplayName, UserPrincipalName, @{Name="City";Expression={$_.Location.City}}, @{Name="Country";Expression={$_.Location.CountryOrRegion}}, IPAddress, @{Name="ErrorCode";Expression={$_.Status.ErrorCode}}, @{Name="ErrorInfo";Expression={$_.Status.AdditionalDetails}}
\n
\n$logs | Export-Csv -Path "C:\\Export\\SignInLogs.csv" -NoTypeInformation<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n\n<\/pre>\n\n\n\n
If you want to run this as a scheduled task and therefore won’t be able to manually authenticate each time, then you can create a self-signed certificate and an app registration in Microsoft Entra and use that instead. The following steps create a 2 year self-signed certificate that you’ll be able to use for this purpose.<\/p>\n\n\n\n
\n\n
1
<\/div><\/td>
$Certificate = New-SelfSignedCertificate -Subject MSGraphSignInLogs -CertStoreLocation Cert:\\CurrentUser\\My -NotAfter (Get-Date).AddYears(2)<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n\n<\/pre>\n\n\n\n
You’ll then need to export the certificate somewhere:<\/p>\n\n\n\n
\n\n
1
<\/div><\/td>
Export-Certificate -Cert $Certificate -FilePath "C:\\Export\\MSGraphSignInLogs.cer"<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n\n<\/pre>\n\n\n\n
Open the certificate and copy the Certificate Thumbprint:
<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Now create an App Registration in Entra ID
<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Give the app an appropriate name and click “Register”, leave the other settings as default.

<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Once the app is created, save the generated Application (client) ID and the Directory (tenant) ID somewhere:

<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
In the left menu pane, click in API Permissions, then click on Microsoft Graph (1) and then Application permissions:
<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n
Add the following permission “AuditLog.Read.All” and then click Update permissions<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Once you have added in the permissions, click “Grant admin consent for…” to provide the necessary access.
<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Now move to the Certificates and secrets section in the menu pane and then select Certificates and Upload certificate:
<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Locate the certificate file you exported earlier and then click Add

<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
This completes the steps in Microsoft Entra ID – now we can write the following PowerShell to complete the authentication using the certificate and app registration using the information you saved earlier and the rest of the script from above remains the same:<\/p>\n\n\n\n
\n\n
1
2
3
4
5
<\/div><\/td>
Connect-MgGraph -ClientID &lt;ClientID> -TenantId &lt;TenantID> -CertificateThumbprint &lt;Thumbprint>
\n
\n$logs = Get-MgAuditLogSignIn -All | Select-Object CreatedDateTime, AppDisplayName, ClientAppUsed, ConditionalAccessStatus,  @{Name="DeviceName";Expression={$_.DeviceDetail.DisplayName}}, UserDisplayName, UserPrincipalName, @{Name="City";Expression={$_.Location.City}}, @{Name="Country";Expression={$_.Location.CountryOrRegion}}, IPAddress, @{Name="ErrorCode";Expression={$_.Status.ErrorCode}}, @{Name="ErrorInfo";Expression={$_.Status.AdditionalDetails}}
\n
\n$logs | Export-Csv -Path "C:\\Export\\SignInLogs.csv" -NoTypeInformation<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n\n<\/pre>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
This requires Entra ID P1 licensing to work. The first method is manual and requires you to authenticate each time you want to download the logs. You can tweak the output as needed. If you want to run this as a scheduled task and therefore won’t be able to manually authenticate each time, then you […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-225","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.stevenhodson.com\/index.php?rest_route=\/wp\/v2\/posts\/225","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.stevenhodson.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.stevenhodson.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.stevenhodson.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.stevenhodson.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=225"}],"version-history":[{"count":3,"href":"https:\/\/www.stevenhodson.com\/index.php?rest_route=\/wp\/v2\/posts\/225\/revisions"}],"predecessor-version":[{"id":240,"href":"https:\/\/www.stevenhodson.com\/index.php?rest_route=\/wp\/v2\/posts\/225\/revisions\/240"}],"wp:attachment":[{"href":"https:\/\/www.stevenhodson.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=225"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.stevenhodson.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=225"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.stevenhodson.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}