AzureADLogs Powershell - audit when a user has been disable or enabled
So I am trying to find out the Azure AD logs via PowerShell, when a user has been enable or disabled, specially the date & time and preferably who did it as well.
I've tried using the follow, but I am not sure what I am supposed to be looking for.
Get-AzureADAuditSignInLogs -Filter "createdDateTime gt 2023-05-30" | SELECT *
or
Get-MgAuditLogSignIn -Filter "createdDateTime ge 2023-05-29T00:00:00Z and createdDateTime le 2023-06-03T00:00:00Z"
How can I filter to just when someone has been enabled or disabled?
I know how to find the disabled users with
Get-ADUser -Filter {Enabled -eq $False}
but I just need to know who and when they were disabled.
Whenever user account is enabled or disabled, it will be saved with Activity name as
Enable accountandDisable accountrespectively in Audit logs.
You can run below command to check who and when users are disabled:
Get-AzureADAuditDirectoryLogs -Filter "activityDisplayName eq 'Disable account' " | where-object Result -eq "Success" | fl
Response:
Similarly, you can run below command to check who and when users are enabled:
Get-AzureADAuditDirectoryLogs -Filter "activityDisplayName eq 'Enable account' " | where-object Result -eq "Success" | fl
Response:
To get the same results using Microsoft Graph PowerShell, you can check below commands:
Disabled users:
Import-Module Microsoft.Graph.Reports
Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Disable account' and result eq 'Success'" | fl
Enabled users:
Import-Module Microsoft.Graph.Reports
Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Enable account' and result eq 'Success'" | fl
- Optimizing a PowerShell Script
- Powershell hashmap: nested filtering
- How to `Import-Module` in PowerShell to parent session/process?
- `Invoke-Conda` cannot catch any arguments after powershell 7.5.0 update
- close and 'save as' for 100 of MS Paint files at once?
- Powershell profile.ps1 cannot be loaded because its operation is blocked by software restriction policies
- How can I capture the value of an untranslated SID in a Try/Catch code block?
- PowerShell .Count returns 1 on empty array
- How can I filter out text twice in Powershell?
- SharePoint | Delete Version History using PnP PowerShell
- WinRM cannot complete the operation. Verify that the specified computer name is valid
- Using start-process in a loop, where some programs will have arguments and some don't; Way to not have if $Arguments -ne $null
- How can I set left/right column justification in Powershell's "format-table"
- Invalid operands found for operator -eq
- Detect when user cancels $host.ui.promptforchoice prompt
- How can I make sure Powershell will correctly render all non-latin characters into the output?
- How can I choose between $MyInvocation.ScriptName and $MyInvocation.PSCommandPath in PowerShell?
- Azure pipeline template: dynamically retrieve and story keyvault secrets
- Maintaining property order with get-member
- PowerShell - Return an array of all possible properties for an ADObject
- List objects vs. Arrays in PowerShell
- Run Invoke-Command in remote computer as administrator
- Authenticate to Azure with certificate from Linux
- How to recursively append to file name in powershell?
- Mapped network drives are not showing in My Computer
- Delete files in a folder except a list of extensions I specify
- How to open 'This PC' using CMD or Powershell?
- transfer the files from sub folder and sub folders recursively without specifying the folder name
- Im creating a VM using terraform code in GCP. I would like to inject a script that runs when the vm is created upon startup
- Remove-ItemProperty does not seem to work with -LiteralPath