Deep dive into sign-in activities for Azure AD and Intune managed devices
In Azure Active Directory, sign-in activity data is stored and retained for 30 days, if your Azure Active Directory has an Azure Active Directory Premium license associated.
You can leverage the Azure Active Directory sign-in activity reports to retrieve information, such as:
- Who attempted to sign-in?
- What application was the sign-in targeted on?
- Did the sign-in attempt succeed or fail?
- Was Multi-Factor Authentication required?
Now, most customers that I work with have a shared PC environment. In these kind of environments, two questions I am often asked:
- Can we see which device a user has signed in to?
- Can we see which users have signed into a particular device?
In this blog post, I’ll share how I’ve tackled these questions!
Can we see which device a user has signed in to?
What’s great about the sign-in activity reports in Azure Active Directory, is that there’s Device info available for Azure AD Joined devices, which includes the Device ID of the device that a user has signed on to.
The Device ID is associated with an Azure AD device object, which you can search for with the ID in the Azure AD devices overview.
So when you paste the Device ID in the search field, it will return the device the user has signed in to!
Can we see which users have signed into a particular device?
I’ve been asked this question for instance when a device is missing from a certain location.
When someone you know has signed-in to the missing device in the past 30 days, you can leverage the sign-in activity reports of that user to locate the Azure AD device object of the device that is missing.
Now, as far as I’m concerned, you have two options:
- You can view the status of applying device configuration profiles or compliance policies for a device to view the affected users for a certain device.
- Query Microsoft Graph for the windowsManagedDevice resource type, to obtain the usersLoggedOn property, which indicates the last logged on users of a device.
For the second option, I’ve made the Get-GraphUsersLoggedOn PowerShell function available in the MSGraphFunctions PowerShell Module.
This function requires the Intune Device ID as parameter value, but we only have the Azure AD Device ID at this time. You can obtain the Intune Device ID from the Microsoft Intune management portal.
When you have the Intune device overview open, you can either grab the Intune Device ID from the URL, which looks similar to “https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_Devices/DeviceSettingsBlade/overview/mdmDeviceId/77314818-25f1-4c36-8961-bf7eae665089” or navigate to the Hardware blade and grab it from there.
If you don’t have the MSGraphFunctions PowerShell module yet, you can install it with the Install-Module -Name MSGraphFunctions cmdlet.
Then connect to Microsoft Graph with the Connect-Graph cmdlet.
After connecting, run the Get-GraphUsersLoggedOn -Id <IntuneDeviceId> PowerShell cmdlet to get a list of users that have signed on the device in the past 30 days.
As you can see from the output generated, not only are the users returned that have logged on to a device, but also their last logon date/time is included in the output.
You’ll also see that the same user can be reported back duplicate times. This happens every time a different user than the previous user signs-in to the device. In that case a new object is generated and the old one is no longer updated.
I’m also very eager to learn from you, so if you’d like, feel free to share how you would tackle these or similar situations.
If you have any questions or feedback, please don’t hesitate to reach out to me using the comments section below, or on Twitter @jseerden.
6 thoughts on “Deep dive into sign-in activities for Azure AD and Intune managed devices”
I did quite a mistake when rolling out our new MW-computers.
I didn’t realize the primary user when setting up the computer would be so hard locked to the computer. So I “helped” a lot of people by logging in with my user and setting things up then returned the computer to them.
Now, when I look at my “All Devices” in Intune it is full of devices that are not “mine”.
I just want an easy way to from that list get a record of who last logged in to a computer and call them and say “Sorry for the mess, but we will have to wipe your computer and let you do the install with your account”.
But I can’t believe how hard it is to see who the heck logged in last on a computer in Azure!
I have no clue how to proceed here.
The only other option I can really see is trying to remove devices randomly from my list of devices and see who calls and complains. . . not the best solution.
So how do I see who ACTUALLY LOGS ON to all the devices connected to me in Intune? Any Clues?
You can use the Get-GraphUsersLoggedOn cmdlet describred in this post to view who logged on to an Intune Managed device.
Hope you didn’t wipe them, there is an option to change the main user now.
Actually, I just waited and lived with it until that function was released. It was a godsend when MS released it. 😀
On a sader note, with Corona, a whole bunch of the people have been let go, and had to return their computers, so that “solved the problem” in those cases. :-/
Is this also possible with first connecting to an other tenant? I’m managing several customer tenants from the Microsoft Partner Center. I’ve just downloaded the MSGraph module but I can only connect to my own tenant. Please provide (if possible) information for how to.
Sure, you can submit the -Credential parameter to use an account in a different tenant. You do need an account in that tenant though.