Jet Mariano

Pulling M365 Sign-in Locations via AzureADPreview

Written by

jetnmariano

in

Excerpt

Needed a quick “where did this user sign in from?” report without swapping modules. I used AzureADPreview to export a clean CSV (timestamp, IP, country/state/city, app, client, result). All identifiers below are redacted; mailbox shown as [email protected].

Intro

Security asked for a last-30-days sign-in report. I didn’t want to migrate the host that already had AzureADPreview, so I stayed on that and exported the fields they care about. Notes are redacted and portable.

Notes from {Speaker}

  • Context: Windows PowerShell 5.x (STA) + AzureADPreview.
  • Avoided Microsoft Graph SDK on this box.
  • Output: CSV with location + app/client details.

Perspective (direct quotes)

“Use Windows PowerShell (not PS7) so the AzureAD auth control behaves.”
“If you change the date range, re-run the query—don’t reuse the old $logs.”

Practice (today, not someday)

Use this redacted snippet; replace only the UPN line if needed.

# Connect (Windows PowerShell 5.x)
Import-Module AzureADPreview
Connect-AzureAD -AccountId "[me]"

$targetUpn = "[email protected]"   # user to report
$from = (Get-Date).AddDays(-30).ToString("o")   # adjust if you have longer retention
$to   = (Get-Date).ToString("o")

# Query sign-in logs (AzureADPreview)
$logs = Get-AzureADAuditSignInLogs -All $true `
  -Filter "userPrincipalName eq '$targetUpn' and createdDateTime ge $from and createdDateTime le $to"

# Shape the report
$report = $logs | Select-Object `
  createdDateTime, userPrincipalName, ipAddress,
  @{n='Country';e={$_.location.countryOrRegion}},
  @{n='State';e={$_.location.state}},
  @{n='City';e={$_.location.city}},
  appDisplayName, clientAppUsed,
  @{n='MFA';e={$_.mfaDetail.authMethod}},
  @{n='CAResult';e={$_.conditionalAccessStatus}},
  @{n='Result';e={ if ($_.status.errorCode -eq 0) { 'Success' } else { $_.status.additionalDetails } }}

# Export (redacted path example)
$dest = "C:\Reports"
if (-not (Test-Path $dest)) { New-Item -ItemType Directory -Path $dest | Out-Null }
$csv = Join-Path $dest "Janedoe_SignIns_Last30Days.csv"
$report | Export-Csv $csv -NoTypeInformation -Encoding UTF8

"$($report.Count) rows -> $csv"

Final Reflection

Sticking with AzureADPreview is fine when you only need sign-in logs—just remember: PowerShell 5.x, re-query after changing dates, and export only the fields the requester needs.

Pocket I’m Keeping

“Query fresh, then shape.” Most delays come from reusing an old $logs object after changing the date window.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts

error: Content is protected !!