In Azure Active Directory, sign-in activity data is stored and retained for 30 days, if your Azure Active Directory has an Azure Active Directory Premium license associated.
You can leverage the Azure Active Directory sign-in activity reports to retrieve information, such as:
- Who attempted to sign-in?
- What application was the sign-in targeted on?
- Did the sign-in attempt succeed or fail?
- Was Multi-Factor Authentication required?
Now, most customers that I work with have a shared PC environment. In these kind of environments, two questions I am often asked:
- Can we see which device a user has signed in to?
- Can we see which users have signed into a particular device?
In this blog post, I’ll share how I’ve tackled these questions!
Can we see which device a user has signed in to?
What’s great about the sign-in activity reports in Azure Active Directory, is that there’s Device info available for Azure AD Joined devices, which includes the Device ID of the device that a user has signed on to.
The Device ID is associated with an Azure AD device object, which you can search for with the ID in the Azure AD devices overview.
So when you paste the Device ID in the search field, it will return the device the user has signed in to!
Can we see which users have signed into a particular device?
I’ve been asked this question for instance when a device is missing from a certain location.
When someone you know has signed-in to the missing device in the past 30 days, you can leverage the sign-in activity reports of that user to locate the Azure AD device object of the device that is missing.
Now, as far as I’m concerned, you have two options:
- You can view the status of applying device configuration profiles or compliance policies for a device to view the affected users for a certain device.
- Query Microsoft Graph for the windowsManagedDevice resource type, to obtain the usersLoggedOn property, which indicates the last logged on users of a device.
For the second option, I’ve made the Get-GraphUsersLoggedOn PowerShell function available in the MSGraphFunctions PowerShell Module.
This function requires the Intune Device ID as parameter value, but we only have the Azure AD Device ID at this time. You can obtain the Intune Device ID from the Microsoft Intune management portal.
When you have the Intune device overview open, you can either grab the Intune Device ID from the URL, which looks similar to “https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_Devices/DeviceSettingsBlade/overview/mdmDeviceId/77314818-25f1-4c36-8961-bf7eae665089” or navigate to the Hardware blade and grab it from there.
If you don’t have the MSGraphFunctions PowerShell module yet, you can install it with the Install-Module -Name MSGraphFunctions cmdlet.
Then connect to Microsoft Graph with the Connect-Graph cmdlet.
After connecting, run the Get-GraphUsersLoggedOn -Id <IntuneDeviceId> PowerShell cmdlet to get a list of users that have signed on the device in the past 30 days.
As you can see from the output generated, not only are the users returned that have logged on to a device, but also their last logon date/time is included in the output.
You’ll also see that the same user can be reported back duplicate times. This happens every time a different user than the previous user signs-in to the device. In that case a new object is generated and the old one is no longer updated.
I’m also very eager to learn from you, so if you’d like, feel free to share how you would tackle these or similar situations.
If you have any questions or feedback, please don’t hesitate to reach out to me using the comments section below, or on Twitter @jseerden.