Skip to Content
Microsoft 365Entra IDRisky Sign-Ins Report

Risky Sign-Ins Report

Pulls sign-in audit logs from the last N hours and exports them to CSV for review.

Requirements

Install-Module Microsoft.Graph.Authentication -Scope CurrentUser
Install-Module Microsoft.Graph.Reports -Scope CurrentUser

Requires PowerShell 7.0+.

Usage

# Last 24 hours (default)
.\risky-sign-ins-report.ps1
 
# Last 72 hours
.\risky-sign-ins-report.ps1 -SinceHours 72
 
# Custom output path
.\risky-sign-ins-report.ps1 -OutputPath "C:\Reports\risky-signins.csv"

Script

#requires -Version 7.0
 
[CmdletBinding()]
param(
    [int]$SinceHours = 24,
    [string]$OutputPath = (Join-Path $PSScriptRoot 'risky-sign-ins.csv')
)
 
Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'
 
function Ensure-Module {
    param([Parameter(Mandatory=$true)][string]$Name)
    if (-not (Get-Module -ListAvailable -Name $Name)) {
        Write-Error "Required module '$Name' not found. Install with: Install-Module $Name -Scope CurrentUser"
        exit 1
    }
    Import-Module $Name -ErrorAction Stop | Out-Null
}
 
Ensure-Module -Name Microsoft.Graph.Authentication
Ensure-Module -Name Microsoft.Graph.Reports
 
$scopes = @(
    'AuditLog.Read.All'
)
Connect-MgGraph -Scopes $scopes | Out-Null
 
$from = (Get-Date).AddHours(-[math]::Abs($SinceHours))
$fromIso = $from.ToString('o')
 
# Note: Filter syntax requires UTC timestamp string without quotes in Graph SDK
$signIns = Get-MgAuditLogSignIn -All -Filter "createdDateTime ge $fromIso" -Property 'id,userDisplayName,userPrincipalName,createdDateTime,ipAddress,clientAppUsed,riskLevelAggregated,riskState,status' 2>$null
 
$rows = $signIns | ForEach-Object {
    [pscustomobject]@{
        CreatedDateTime     = $_.CreatedDateTime
        UserDisplayName     = $_.UserDisplayName
        UserPrincipalName   = $_.UserPrincipalName
        IpAddress           = $_.IpAddress
        ClientAppUsed       = $_.ClientAppUsed
        RiskLevelAggregated = $_.RiskLevelAggregated
        RiskState           = $_.RiskState
        Status              = $_.Status.ErrorCode
        StatusDescription   = $_.Status.FailureReason
    }
}
 
$rows | Sort-Object CreatedDateTime -Descending | Export-Csv -NoTypeInformation -Path $OutputPath
Write-Host "Saved $($rows.Count) rows to $OutputPath" -ForegroundColor Green

Output

Exports a CSV with:

  • CreatedDateTime
  • UserDisplayName / UserPrincipalName
  • IpAddress
  • ClientAppUsed
  • RiskLevelAggregated / RiskState
  • Status / StatusDescription

Graph Permissions

  • AuditLog.Read.All
Last updated on
MFA Enforcement ReportBlocked Sign-In Users