Export Microsoft 365 Users’ Logon History Report Using PowerShell

Logon patterns play a major role in many attacks. Tracking Microsoft 365 users’ login activities is essential for detecting potential security breaches and suspicious behavior. So, how do you generate a logon history report in Microsoft 365? Lets’ dive into detail.

To view M365 users’ logon history, you have two main options: using the Microsoft 365 admin portals or PowerShell. However, it’s important to note the limitations of each method.

M365 admin portals: In the Microsoft 365 admin portals, you can access a history of successful login attempts, but it doesn’t track failed login attempts. Even if you apply filters to retrieve failed login attempts, exporting them is not possible. Additionally, Entra sign-in logs are limited to the past 30 days.

PowerShell: For tracking both successful and failed logon attempts over an extended period, Search-UnifiedAuditLog is the best choice. It allows you track all sign-in events within a specified range. However, improper data retrieval can cause data loss, leading to inaccurate results.

Don’t worry! We’ve got you covered. We’ve developed a user-friendly PowerShell script to export Microsoft 365 users’ login activities across various workloads, including Entra ID, Exchange Online, Microsoft Teams, and SharePoint Online.

Download Script: O365UserLoginHistory.ps1

Script Highlights:

• Allows you find successful and failed logon attempts separately.
• The exported report has IP addresses to track user’s login location.
• You can export the login history report for “All users” or “Specific user(s)”.
• Exports report result to CSV.
• Automatically installs the EXO module (if not installed already) upon your confirmation.
• This script is scheduler friendly. I.e., credentials can be passed as a parameter instead of saving inside the script.
• Supports Certificate-based Authentication(CBA).
• Tracks login events in various Microsoft 365 workloads, including Azure Active Directory, Exchange Online, SharePoint Online and Microsoft Teams .

The exported login history report looks similar below screenshot

Note: Only successful logins are captured for some workloads in Search-UnifiedAuditLog. Therefore, if the ‘Result status’ is shown as empty, consider them as successful login attempts.

Method 1: Execute the script with a MFA or non-MFA account

The exported report will contain M365 users’ login activities for the past 180 days.

Method 2: Execute the script by explicitly mentioning credentials (Scheduler friendly).

This method will work for only non-MFA accounts. If the account has MFA, you can disable MFA for a specific account using CA policy.

Method 3: Execute the script using Certificate Based Authentication.

This method is also scheduler friendly and more secure method when compared to the previous method.

To use CBA, you must register app in Entra and add credentials. You can use either a CA certificate or create a self-signed SSL certificate based on your purpose.

1. Export users’ login history for the past 180 days
2. Get M365 login activities for custom period
3. Export login history for a specific user
4. View login history for a list of users
5. Export failed login attempts report
6. Export Microsoft sign-in report (successful login attempts)
7. Get sign-in history for a specific M365 service (Entra, Exchange Online, SPO, Teams)
8. More granular login history report
9. Get Monthly login history report

The Search-UnifiedAuditLog can retrieve audit logs for up to 180 days. By default, the script can retrieve data from the past 180 days. However, you can customize the date using specialized parameters.

But tracking users’ last login time using this result is difficult. In such case, you can utilize inactive users report to find last interactive and non-interactive sign-ins. Also, you can track guest users last login time separately.

To get users’ login attempts within a specific period, you need to mention start and end times during script execution. It can be achieved by passing –StartDate and –EndDate params.

Date format should follow the MM/DD/YY format. The above script will export all users’ login attempts from Nov 20, 2024, to Nov 25, 2024.

To export a specific user’s logon history, execute the script with –UserName param.

The exported report contains login history of john@contoso.com.

If you want to get sign-in attempts for multiple users, you can pass usernames using –UserName param as comma separated values.

The exported report contains login history of admin and hr user.

Analyzing M365 users’ failed sign-in attempts are helpful in identifying suspicious activities and attack pattens. To export failed logon attempts, execute the script with –Failed switch param.

By default, it will return the past 180 days of audit records. If you want to narrow down the report, you can mention time interval using –StartDate and –EndDate params.

Using Microsoft 365 login IP address, you can track from where the user/attacker trying to login to access your organization resources.

To export users’ successful sign-in attempts, you need to run the script with –Success switch param.

The exported report helps you track users’ sign-in activity in your organization. You can also utilize M365 users’ last successful sign-in time to identify users’ last successful sign-in time and find inactive users.

You can track Microsoft 365 users’ sign-in history for a specific workload by passing the –Workload param. In such way, you can track users’ Entra sign-in history, mailbox login history, SPO sign-ins and Teams sign-in activities.

The above format, export users’ sign-in activities in Entra. You can also use Exchange, SharePoint, or MicrosoftTeams to retrieve sign-in details for those workloads.

By default, this PowerShell script supports multiple advanced filtering options. You can use one or more filters during execution time. I have listed some use-cases here.

• To export specific O365 user’s all successful and failed login attempts that performed last week, you can execute the script as follows.

• To export all Office 365 users’ failed login attempts performed in specific hours.

Additionally, you can easily filter out unsuccessful login attempts in Microsoft 365 using the “Time Range” filter of the sign-in failure analysis workbook.

Since Search-UnifiedAuditLog has data for limited period, you may require old audit logs for analysis. In that case, scheduling plays a significant role.

You can use the Task Scheduler to automate Microsoft 365 login history report. If you schedule the script to run once in 180 days, you can access the exported report at any time you want. So, you can store years of audit logs further analysis.

You can either schedule by explicitly passing the credential (not recommended) or using certificate based authentication as explained in the script execution methods.

You can either Schedule the PowerShell script using Task Scheduler or use Azure Automation.

If you need more customized and advanced reports such as first & last login time of the day, weekly login summary, monthly login summary, etc, you can take a look at Microsoft 365 sign-in reports by AdminDroid

the best part is, these reports are Free. AdminDroid’s Free Microsoft 365 reporting tool offers 150+ pre-built reports to efficiently manager users, groups & membership, licenses, user sign-ins, password changes, license changes, managers & direct reports, etc.

AdminDroid provides 50+ sign-in reports by covering various sign-in use aspects. Specifically,

• • User Logins
    • All user logins
    • Failed user logins
    • Successful user login
    • User’s last logon time
    • Users’ first logon time of a day
    • Users’ monthly login count summary
  • Security
    • Admins logins
    • Guest logins
    • Risky login attempts
    • Failed to pass MFA challenge
    • Legacy/Basic authentication login attempts
  • Office 365 service based logins
    • Outlook login history
    • Mailbox PowerShell logins
    • Teams logins
    • Teams external user login activities

Additionally, AdminDroid provides 1900+ pre-built reports and 30 smart dashboards to know about your Office 365 environment at a glance. This tool provides reports on Office 365 reporting, auditing, analytics, usage statistics, security & compliance, etc.

Download AdminDroid Microsoft 365 management tool now and experience the power of simplified administration!

I hope this blog is useful in analyzing M365 logon history report. If you have any queries or requirements, share it with us through the comment section.