Well recently, I had to pull Sign-in activity reports for an Office 365 tenant and I hit a limitation of the Azure AD portal. Unfortunately, you can only download first 5000 entries. This is a small number if you have multiple applications and huge number of users ,using Azure AD as an identity store.

Source:https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-faq

So, the only way out is to get the output from an API call to the Microsoft Graph. This turns out to be a matter of challenge for people who don't have developers skills or are not proficient in Powershell.

Hence, I decided to create a GUI tool that just needs you to click a button to fetch the reports. However, you do need to setup a Service Principal (Applications) on Azure AD to get the reports and the steps can be found at the link below:-

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-api-prerequisites-azure-portal#register-an-application

The Applications shall need read access to the logs as permission, although you can assign other permissions as well. However, it would increase the attack surface should these credentials for the service principals fall in wrong hands.

You can get the following information from the logs:-

1. DateTime of the Event

2. IP Address

3. Endpoint for Authentication Request

4. Client Type

5. RiskLevel

6. User Display Name

7. UserPrincipalName

8. Operating System of device

9. Browser Information

10. Device Compliance information

11. Location Information

12. Conditional Access details

13. MFA Details

You shall need the following things to get the report:-

• Tenant ID (the domain name that ends with .onmircosoft.com , you can see this in the domains page in Office 365 Admin center)

• Client ID/Application ID (The link above has steps to get this, do not share this with anyone)

• Client Secret (The link above has steps to get this, However, you can only get this once, so make sure you note it down and keep it safe, do not share this with anyone)

Also note that Sign-in reports need you to have at least 1 Azure AD Premium license. It can either be a P1 or P2.

After, you are done setting up the principals, things are quite simple to execute. Here, happens to be a screenshot of the tool and its Output, you also get an option to save the logs in a CSV file.

Download Link:-

MSI Installation File (https://drive.google.com/file/d/1XEHafV2sBNLVQNSjE1qDLgyx0HZFkNiT/view?usp=sharing)

Portable EXE Files (https://drive.google.com/file/d/1FBiU-iOZa5_NBZ6hJWZuDUYKuJNraDWz/view?usp=sharing)

Note: The EXE file and the Setup are not signed with code signing certificate, hence You would get a security warning that the program is not signed and the Software Publisher is not recognized. You might have to elevate UAC to run these files

#AzureAD #Audit #Report #Signin