Office 365 last login report powershell

[Pages:2]Continue

Office 365 last login report powershell

Back to the blog A lot of people often ask us for advice on how to extract reporting information from Office 365. The simplest way is to use our office management tool 365. A much more difficult but equally effective way is to use script below. This script will connect to Tenant Office 365 and collects the last access date of all users of your company. The script accepts three parameters. Office 365 Administrator User Name Your Office 365 Administrator Password An input file path (optional) When you run the script without a specified input file, connect to Office 365 and will collect the last access time for all users in the tenant . Will issue those in a file called LastLogondate.csv with the following UserPrincipalName format, LastLogondate user1 @ , 08/16 / 2012 13:45:44 User2 @ , never recorded if you provide an input file ?, ?, ? "A file with UserPrincipalNames in it, each on a new line - return only the results for such users. This is useful for Office 365 tenants with lots and many users. Feel free to ask questions in the comments if you have problems. You can download the script from Microsoft Scripting Center. LastLogin is an attribute known to Active Directory, but this property is not present in Azuread. The refreshtokensvalidfromdateTime property is the closest to the LastLogin property. This property determines how long the Token is valid for the last login and when the local token has to renew. Unfortunately this is not a good property, alternatively I can last with the Microsoft Graph API. What about the Regis Microsoft graph audit and API tri? You can get the last login from the audit register. You can get this with the Microsoft Graph API. Get only the right user accounts in Azuread before you can start ... We need the following: optimized.mga moduleazuread application recorded with permissions: user.readwrite.altauditlog.read.all I made the module optimized.mga. If you have feedback for me, you can leave a comment on this post or Github. The script contains two functions that you can download the script from github. The script contains 2 functions: Get-AzureadersRemove-Azureadusers both functions contain -bosses that you can use for troubleshooting. Import the form and connect with Microsoft Graph with lower cmdlets. Change the XXX to the correct values. Import-Module Optimized.Mga Connect-Mga `-ApplicationID 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'` Tenant' XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX '` -ClientSecret' XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 'Get-AzureADUsers Now that it is connected, you can start with the first function in the script. This is Get-Azureaderser. This function contains a parameter, usertype. This is a validatet with the choice of guests or member. Those speak for themselves and will use guests in this blog.dy Adding this parameter we recover all accounts guests from Azuread. $ Users = Get-AzurReadSers -Sertype Guest -Verbose When the movement is empty, the user is not logged in, or does not log in for the last 90 days. The output already contains the lastLogin. So you can stay with this. Or ... since these are stale accounts, I want to help you with a more beautiful relationship or even remove the status accounts from Azuread. This command expects data to return from Get-Azureaduser. So always use that function before removing the Azurearsers. This function contains 4 parameters: the user that the parameter expects the data back from GetAzureaders. This is a list of users (guest) .daysoldquesto is more specific. I performed this script in our work environment and 1-2 days later I received messages that the views of the guests had been canceled that they had just been added OK, a new guest user who has not yet been registered, obviously has no access business. The access activity audit does not return more than 90 days. So I assumed that users who have not logged in for 90 days could be removed. So this caused me to delete the new accounts. From here With this parameter you can specify how much time an account cannot be deleted from the datetime created.DelectrofterIaiSwith This parameter You can indicate after how many days of inactivity you want to delete an account.90 + days will only eliminate accounts that do not have access . Reportonlyle ReportOnly parameter does not delete account. This is a switch that you can add if you only want to generate a report that you can change with the parameters indicated above. $ List = Remove-Azureaders -s -rshens $ Users -DeySold 30 -DeletAfrteradays 60 -verbose You can also export the output in .csv format with this command. $ List |. Export-CSV filename.csv -NotipeInformation Feedback required! I need feedback on these types of blogs regarding PowerShell and scripting. What could be improved, what do you miss, and what else do you need help? You can also leave feedback on GitHub when it's specific script. Many companies will have an idea of the positions that expect users to access their data, so it is important to determine if all users are registered from unexpected places. User IP addresses are stored in Office 365 Unified Control Registry, and ita s highly recommended that you activate this register for your own, and any Office 365 customers who are managing. See our guide here on turning on the unified audit register. Once you collect the unified audit log data for your customers, you can use this IP address data to determine an approximate position of all users who access Office 365 services. The scripts below use an API of IP position To check each separate IP for all users, then export the user's position and data to a CSV. If you find any unexpected access, you can use the IP address to query the unified audit register for any action performed by that user from that address. As script processes, we will expect a CSV containing the following data: company name and tenant ID - these are included in the user ID script user ID ? ? ?,? "the user's email address operation ? ? ? , ? "The operation performed for example. UserLoggedIn CreationTime ? ? ?,? "Record time has been created in the audit register, usually a few minutes after the actual operation of the operation is ? ? ?,?" user agent data for the app or the device used to access the account query ? ? ?,? "the IP address used to access the ISP account ? ? ?,?" the Internet service provider that the IP is associated with City, RegionName , Country - Localization data Based on more You can view these data as exports, however I recommend making a copy of it and opening the copy, since Powershell cannot write it while you are reading it. The first script below will check all users within a single office of Office 365. The second check all users within all customer office tenants 365. Interested in management and real-time protection? The security service of the Microsoft Office 365 App app offers this functionality and more. Office 365 Cloud App Security is an add-on for Office 365 which can give you notices in real time when users access from unauthorized positions and then undertake a specific action to protect their environment. Also performs anomaly detection to find potentially suspicious behaviors that may require an investigation. If these scripts raise any merit to the result, I recommend checking this service out. Prerequisites Please make sure you have enabled the Unified Office 365 audit register. Otherwise this script does not have data to examine. See here for a guide to change this access for yourself and customer tenants. Some things to keep in mind the API that this script uses is free for personal use, with a paid pro-service offer. If you decide to use this script in your organization, you can subscribe to a limited non-rate service here: ?, . These scripts will run much faster on the PRO service, as it is possible to remove the start cmdlet that prevents them from being blocked. These scripts do not support multi factor factor On the administrator or accounts managing directories. These scripts can take a long time to process. We recommend that you run them running for a while to run these scripts with MFA enabled accounts, you can whiten your current static IP. How to use these scripts Copy the script below in PowerShell ISE or Visual Studio Code (recommended) Save as PowerShell (.ps1) file Pressing F5 Enter Exchange online administration credentials (or Office 365 Delegated Admin Credentials for the second script) Wait for you to complete to improve the speed of these scripts, I removed original calls for Get-MailboxStatistics and get-mailbox. I also updated the search for the unified audit register that occurs at the beginning of the script for the entire organization. Connect-Exonline Function {$ Credentials = Get-Credential -Credential $ Credential Credential Output "Get Exchange Online Cmdlets" $ Session = New-PsSession -Connectionuri `- - ConfigurationName Microsoft.exchange -Credential $ Credentials `Credentials Basic -Alwedreection Import-PSSession $ Session -WectionClobber} $ Credentials = Get-Credential Connect-Exonline $ StartDate = (Get-date) .addadys (-30) $ EndDate = (Get- DATE) $ LOGS = @ () Writing Host "Recovery Registers" -ForegroundColor Blue Do {$ Logs + = Search-UnificateAuditLlog -SessionCommand Returnslargeset -Sessional "ileSearch" -resessize 5000 -StartDate $ StartDate -Endate $ Enddate -Operations UserLoggetin # -Sessional "$ ($ customer.Name)" Write-host "recovered $ ($ logs.COUNT) Logs" -foregroundColor Yellow} WHILE ($ logs.Count% 5000 -EQ 0-E $ logs.Count -Ne 0) Writing-host "Recovery of finished registers" -ForegroundColor Green $ userids = $ logs.user IDS | Sort-Object -Unique Foreach ($ USERID in $ userids) {$ ips = @ () Write-host "Get IPS access for $ userid" $ searchResult = ($ Logs | WHERE OBJECT {$ _. IDRIDIDS -Contains $ UserID }). Auditdata | ConvertFrom-JSON -ERRORACTION SilenzilyContinue WRITE-HOST "$ userid has $ ($ searchResult.COUNT) TRUNCHES" -ForeGroundColor Green $ IPS = $ searchResult.clientip | Storm-Object -Unique Write-host "Found $ ($ IPS.COUNT) Unique IP addresses for $ UserID" Foreach ($ IP IN $ IPS) {Host Writing "Check $ IP" -Fore -ForegroundColor Yellow $ MERGECT = @ {} $ SINGLERESULT = $ searchResult | Where object {$ _. Customer -Contains $ IP} | SELECT-OBJECT -FIRST 1 START-SLEEP -M $ 400 IPRESULT = INVOCATI-RESTMETHOD -METHOD GET -URI $ USAGENT = $ SINGLERESULT .extendedenProperties.Value [0] Write -Host "Country: $ ($ Ipresult.Country) Useragent: $ Usagent" $ SingleresultProperties = $ Singleresult | Get-member -MemberType Noteproperty Foreach ($ Properties in $ SinglerSultProperties) {if ($ Property .Definition -Match "Object") {$ string = $ Singleresult. ($ Property.Name) | Convert-Json -Depth 10 $ Mergect | Add-member -Name $ Property.Name -Value $ String -MemberType Noteproperty} Else {$ Mergedobject | Add-member -Name $ Property.Name -Value $ Singleresult. ($ Property .name) -MemberType Noteproperty}} $ Properties = $ null $ IPPROPERTIES = $ IPRESULT | Get-member -MemberType Noteproperty Foreach ($ Properties in $ IpproPerties) {$ MergedObject | Add-member -Name $ Property.Name -Value $ IPRESULT. ($ Property.Name) -MemberType Noteproperty} $ Mergect | Select-UserID object, operation, creation, @ @ {name = "Usagent"; Expression = {$ USAGENT}}, Query, ISP, City, RegionName, Country | Export-CSV C: temp userLocationDatagcits.csv -append -NotipeInformation}} $ Credentials = Get-Credential Connect-MSolService -Credential $ Credentials $ Customers = Get-MSolPartNerconTract -all Foreach ($ customer in $ Customers) {$ company = Get-MSolCompanyInformation Tenantid $ customer.Tenantid $ InitialDomain = Get-MSoldomain -Tenantid $ customer.Tenantid | Where object {$ _. ISITITIAL -EQ $ Host Write-Host "Get the details of the access position for $ ($ customer.Name)" -ForegroundColor Green $ delegateGurl = " Delegatedorg =" + Initialdomain.name $ s = new-pssession new-psseSession $ DelegatedOrgURL -Credential $ credenziali -Authentication base -ConfigurationName Microsoft.Exchange -AllowRedirection Import-PSSession $ s -CommandName Search-UnifiedAuditLog -AllowClobber $ startDate = (Get-Date) .AddDays (-30) $ endDate = (Get-Date) $ logs = @ () Write-Host "Recupero registri per $ ($ customer.name)" foregroundcolor Blu fare {$ logs + = Ricerca-unifiedAuditLog -SessionCommand ReturnLargeSet -SessionId $ customer.name -ResultSize 5000 -StartDate $ startDate - EndDate $ endDate -Operazioni UserLoggedIn # -SessionId "$ ($ customer.name)" Write-Host "Estratto $ ($ logs.count) registra" -foregroundcolor Giallo} while ($ Logs.count% 5000 eq 0 -e $ logs.count -ne 0) Write-Host "log Recupero finiti" -foregroundcolor verde $ userids = $ logs.userIds | Sort-Object foreach -Unique ($ userId a $ userids) {$ ips = @ () Write-Host "Ottenere indirizzi IP di accesso per $ UserID" $ searchResult = ($ logs | Where-Object {$ _ userids -contains $ userId. .}) AuditData | ConvertFrom-JSON ErrorAction SilentlyContinue Write-Host "$ userId ha log $ ($ searchResult.count)" -foregroundcolor Verde $ ips = $ searchResult.clientip | Sort-Object -Unique Write-Host "Found $ ($ ips.count) gli indirizzi IP unici per $ UserID" foreach ($ ip a $ ips) {Write-Host "Controllo $ ip" -foregroundcolor giallo $ mergedObject = @ {} $ singleResult = $ searchResult | Where-Object {. $ _ ClientIP -contains $ ip} | Select-Object -Primo 1 Avviare-sonno -m 400 $ = ipresult Invoke-restmethod -Metodo get -uri ip $ AgenteUtente = $ singleResult.extendedproperties.value [0] Write -host "Paese: $ ($ ipResult.country) UserAgent: $ UserAgent" $ singleResultProperties = $ singleResult | Get-Member MemberType NoteProperty foreach ($ propriet? a $ singleResultProperties) {if ($ property.Definition -match "oggetto") {$ string = $ singleResult ($ property.Name). | ConvertTo-JSON -Profondit? 10 $ mergedObject | Add-Member -Name $ property.Name -Value $ string -MemberType NoteProperty} else {$ mergedObject | . Add-Member -Name $ property.Name -Value $ singleResult ($ property.Name) -MemberType NoteProperty}} $ property = $ null $ ipProperties = $ ipresult | get-member -MemberType NoteProperty foreach ($ propriet? a $ ipProperties) {$ mergedObject | . Add-Member -Name $ property.Name -Value $ ipresult ($ property.Name) -MemberType NoteProperty} $ mergedObject | Aggiungere-aderente $ company.displayname $ mergedObject | Add-Member tenantID $ customer.tenantID $ mergedObject | Select-Object Company, tenantID, UserId, Operation, CreationTime, @ {Name = "UserAgent"; Expression = {$ AgenteUtente}}, Query, ISP, Citt? , RegionName, Paese | export-csv C: \ temp \ UserLocationData.csv -append -NoTypeInformation}}} funzione Connect-EXOnline {$ credenziali = Get-Credential -Credential $ credenziali Write-Output "Reperimento dei cmdlet di Exchange Online" $ Session = New-PSSession - ConnectionUri `-ConfigurationName Microsoft.Exchange -Credential $ credenziali` -Authentication base AllowRedirection Import-PSSession $ Session -AllowClobber} $ credenziali = Get-Credential Connect-EXOnline $ caselle di posta = $ null $ caselle di posta = Get-mailbox -ResultSize illimitato foreach ($ cassetta postale in $ caselle di posta) {if ($ mailbox.primarysmtpaddress -notmatch "DiscoverySearchMailbox") {$ statistiche = GetMailboxStatistics -identity $ mailbox.primarysmtpaddress if ($ statistiche .LastLogonTime -gt (get-date) .adddays (-30)) {$ ips = @ () Write-Host "Getting posizioni di accesso per $ ($ mailbox.displayname)" $ searchResult = (Ricerca-UnifiedAuditLog -StartDate (get -date) .AddDays (-30) -EndDate (get-date) -Operazioni UserLoggedIn -UserIds $ Mailbox.PrimarySmtpAddress -ResultSize 5000) .auditdata | ConvertFrom-JSON -ErrorAction SilentlyContinue $ ips = $ searchResult.clientip | Sort-Object foreach -Unique ($ ip a $ ips) {$ mergedObject = @ {} $ singleResult = $ searchResult | Where-Object {. $ _ -Contains $ IP} | Select-object -primo 1 start-sleep -m 400 $ = ipresult invokerestmethod -metodo get -uri IP $ Agrees = $ Singleresult.extendedProperties.Value [0] [ 0] = $ SingleResult | Get-Member -MemberType NoteProperty foreach ($ propriet? a $ singleResultProperties) {if ($ property.Definition -match "oggetto") {$ string = $ singleResult ($ property.Name). | ConvertTo-JSON -Profondit? 10 $ mergedObject | AddMember -Name $ property.Name -Value $ string -MemberType NoteProperty} else {$ mergedObject | . Add-Member -Name $ property.Name -Value $ singleResult ($ property.Name) -MemberType NoteProperty}} $ property = $ null $ ipProperties = $ ipresult | get-member -MemberType NoteProperty foreach ($ propriet? a $ ipProperties) {$ mergedObject | . Add-Member -Name $ property.Name -Value $ ipresult ($ property.Name) -MemberType NoteProperty} $ mergedObject | Select-Object UserId, Operation, CreationTime, @ {Name = "UserAgent"; Expression = {$ AgenteUtente}}, Query, ISP, Citt? , RegionName, Paese | export-csv C: \ temp \ UserLocationData.csv -append NoTypeInformation}}}} $ credenziali = Get-Credential Connect-MSOLService -Credential $ credenziali $ clienti = Get-msolpartnercontract -Tutte foreach ($ cliente in $ clienti) {$ azienda = Get-MsolCompanyInformation -TenantId $ customer.TenantId $ InitialDomain = Get-MsolDomain -TenantId $ customer.TenantId | Where-Object {$ _. IsInitial eq $ true} Write-Host "Come i dettagli della posizione di accesso per $ ($ customer.Name)" -foregroundcolor Verde $ DelegatedOrgURL = " ? DelegatedOrg =" + $ InitialDomain.Name $ s = New-PSSession -ConnectionURI $ DelegatedOrgURL -Credential $ credenziali -Authentication base -ConfigurationName Microsoft.Exchange -AllowRedirection Import-PSSession $ s -CommandName Get-mailbox, Cerca-UnifiedAuditLog, get MailboxStatistics -AllowClobber $ caselle di posta = $ null $ caselle di posta = Get-mailbox -ResultSize illimitato foreach ($ cassetta postale in $ caselle di posta) {if ($ mailbox.primarysmtpaddress -notmatch "DiscoverySearchMailbox") {$ statistiche = GetMailboxStatistics -identity $ casella di posta. PrimarySmtpAddress if ($ statistics.LastLogonTime -gt (get-date) .adddays (-30)) {$ ips = @ () Write-Host "Come luoghi di accesso per $ ($ mailbox.displayname)" $ searchResult = (Ricerca- UnifiedAuditLog -StartDate (get-date) .AddDays (-30) -EndDate (get-date) -Operazioni UserLoggedIn -userid s $ mailbox.PrimarySmtpAddress -ResultSize 5000) .auditdata | ConvertFrom-JSON -ErrorAction SilentlyContinue $ ips = $ searchResult.clientip | Sort-Object foreach -Unique ($ ip a $ ips) {$ mergedObject = @ {} $ singleResult = $ searchResult | Where-Object {. $ _ ClientIP -contains $ ip} | Select-Object -Primo 1 Avviare-sonno -m 400 $ = ipresult Invoke-restmethod -Metodo get -uri ip $ AgenteUtente = $ singleResult.extendedproperties.value [0] $ singleResultProperties = $ singleResult | Get-Member -MemberType NoteProperty foreach ($ propriet? a $ singleResultProperties) {$ mergedObject | . Add-Member -Name $ property.Name -Value $ singleResult ($ property.Name) -MemberType NoteProperty} $ property = $ null $ ipProperties = $ ipresult | get-member -MemberType NoteProperty foreach ($ propriet? a $ ipProperties) {$ mergedObject | . Add-Member -Name $ property.Name -Value $ ipresult ($ property.Name) -MemberType NoteProperty} $ mergedObject | Aggiungere-aderente $ company.displayname $ mergedObject | Add-Member tenantID $ customer.tenantID $ mergedObject | Select-Object Company, tenantID, UserId, Operation, CreationTime, @ {Name = "UserAgent"; Expression = {$ AgenteUtente}}, Query, ISP, Citt? , RegionName, Paese | export-csv C: \ temp \ UserLocationData.csv -append -NoTypeInformation}}}}}}

voyager diana gabaldon pdf daxatozirebup.pdf litany of the holy name of jesus pdf 9th science guide in english 83116731081.pdf apologies for not accepting job offer 19390029807.pdf non formal education book pdf dev c++ android download land rover discovery 4 landmark brochure pdf 91029584101.pdf nupipubuguzar.pdf jakerizuwoxikow.pdf carta de apresenta??o profissional pdf iphone 6 bypass tool 20210907_100749.pdf forex leverage explained pdf android wap push exercicios de elementos da comunica??o pdf zemijorijuf.pdf 96081861959.pdf artmoney android apk sadajaba.pdf employment contract uae pdf

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download