azurepowershellazure-active-directoryaudit-logging

Export Entra Audit Logs via powershell

I am trying to export the Microsoft Entra ID Audit logs, specifically looking for the logs of all MFA/Phone app updates or changes, so this log or portion of log can be email to our sec ops team.

The values I have identified are:

Log file example:

enter image description here

my thought was to export the audit logs, then attach the csv to an email

$date = (Get-Date).AddDays(-1).ToString('yyyy-MM-dd')
$filename = get-date -Format "yyyy-MM-dd" 
Get-AzureADAuditDirectoryLogs -Filter "activityDateTime gt $date" |
    Export-Csv -Path c:\install.tmp\$filename.csv

in the exported file where I would expect the details I need I only get.

[log file example](https://i.sstatic.net/vhHZ1.png)

Solution

  • I agree with @Santiago Squarzon, you can switch to Microsoft Graph PowerShell commands as Azure AD module is about to be deprecated soon.

    Initially, I too got similar response when I tried to export the audit logs directly without iterating target resources:

    #Install-Module Microsoft.Graph
Connect-MgGraph

$date = (Get-Date).AddDays(-1).ToString('yyyy-MM-ddTHH:mm:ssZ')
$filename = Get-Date -Format "yyyy-MM-dd"

# Retrieve directory audit logs filtering  authentication methods of users only
$auditLogs = Get-MgAuditLogDirectoryAudit -Filter "LoggedByService eq 'Authentication Methods' and Category eq 'UserManagement' and activityDateTime ge $date"

$auditLogs | Export-Csv -Path "c:\test_csv\$filename.csv"

    enter image description here

    To resolve this, you can make use of below modified script that exports data with target resources details successfully like this:

    Connect-MgGraph

$date = (Get-Date).AddDays(-1).ToString('yyyy-MM-ddTHH:mm:ssZ')
$filename = Get-Date -Format "yyyy-MM-dd"

$auditLogs = Get-MgAuditLogDirectoryAudit -Filter "LoggedByService eq 'Authentication Methods' and Category eq 'UserManagement' and activityDateTime ge $date"

$formattedLogs = @()

foreach ($log in $auditLogs) {
    $targetResources = $log.TargetResources | ForEach-Object {
        [PSCustomObject]@{
            Id = $_.Id
            Type = $_.Type
            DisplayName = $_.DisplayName
            UserPrincipalName = $_.UserPrincipalName 
        }
    }

    $additionalDetails = $log.AdditionalDetails | ForEach-Object {
        [PSCustomObject]@{
            Key = $_.Key
            Value = $_.Value
        }
    }

    $formattedLog = [PSCustomObject]@{
        ActivityDateTime = $log.ActivityDateTime
        ActivityDisplayName = $log.ActivityDisplayName
        Category = $log.Category
        Result = $log.Result
        ResultReason = $log.ResultReason
        TargetResources = $targetResources
        AdditionalDetails = $additionalDetails
    }
    $formattedLogs += $formattedLog
}

$formattedLogs | Export-Csv -Path "c:\test_csv\$filename.csv" -NoTypeInformation

    Response:

    enter image description here

    enter image description here

    Reference: List directoryAudits - Microsoft Graph