Tuesday, September 11, 2018

Auditing Office 365 user logins via PowerShell

image

One of the common audit requirements people have with Office 365 is to determine when their users successfully. and unsuccessfully logged into Office 365.

I’ve detailed how to do this in the web interface here:

Searching the Office 365 activity log for failed logins

but now you can find this script that I have made available that will report this via PowerShell:

https://github.com/directorcia/Office365/blob/master/o365-login-audit.ps1

In the variables area you will find three options for $operations like so:

$operation="userloginfailed","userloggedin" ## use this line to report all logins

##$operation="userloginfailed" ## use this line to report failed logins

##$operation="userloggedin" ## use this line to report successful logins

Only one of these should be uncommented. (the ## designates everything after it as a comment in PowerShell, just so you know).

image

The first option “userloginfailed”,”userloggedin” will give you all users logins between the dates you nominate as shown above. Any failed logins will be highlighted in red, successful ones are in green.

image

The second option, “userloginfailed” will just so failed logins for the period as shown above

The third option, “userloggedin” will just show successful logins for the period.

Those are the main variable to change to get different outputs, but make sure you read the whole script and set the other variables appropriately for your environment.

I’ll be improving the script over time so remember to check bag regularly but now you should be able to easily audit all your user logins to Office 365 using PowerShell.