About two years ago I created a free PowerShell script to report on tenant logins by checking the Unified Audit Log. You’ll find that original article here:
I’ve now updated the script and added some functionality as well. But before you go off and run the script, make sure you have completed the pre-requisites:
1. You’ll need to ensure that you have enabled your Unified Audit Logs in the tenant. You can see how to do that here:
2. Prior to running the script you will have needed to install the Exchange Online PowerShell module. To set up your PowerShell environment I suggest you check out:
3. Connect to Exchange Online with PowerShell. For that I recommend you use my script:
Once you have your PowerShell environment setup, you simply run the o365-connect-exov2.ps1 script as shown above.
That should result in you being connected to Exchange Online PowerShell as shown above.
At this point you can now run the o365-login-audit.ps1 script which you will find at:
That should output the list of user logins from the Unified Audit Log for the past day as shown. It will show you both successful and failed login attempts, the time they occurred, the IP that the login came from the user attempting the login as shown above.
If you instead run the o365-login-audit.ps1 script with the –fail parameter as shown above,
The output will only display failed login attempt details as shown above.
If you run the o365-login-audit.ps1 script with the –days parameter as shown above,
You will be prompted to enter the number of previous days you wish to check as shown above beyond the default one day. Remember, the more days you specify, the more logs need to be retrieved, and the longer the process will take.
The results will be displayed as before. You will notice the message line in the output to the total number of days being checked.
If you instead run the o365-login-audit.ps1 script with the –csv parameter as shown above,
You will notice the same output but you will also see a line, as shown above, that confirms the total results have also been sent to a CSV file.
if you look the parent directory, from where the script ran, you will find the CSV file (o365-login-audit.csv) mentioned previously as well as the script log file (o365-login-audit.txt).
The script log file (o365-login-audit.txt), as shown above, contains the output from what was displayed on the screen when you ran the script. This file is always overwritten when the script runs.
The CSV file contains all the log file entries for the period specified. This allows you to open the file in Excel and filter, sort and format as needed. A new CSV is created every time the script is run with the –csv option.
Thus, the o365-login-audit.ps1 script has 3 optional parameters, that can be used in any combination:
-fail = display only failed logins
-days = prompt for total number of days to check from current
-csv = output all logs for period to a CSV file in the parent directory. A new CSV file is created for each script execution
The script will also produce a log file (o365-login-audit.txt) in the parent directory, that is overwritten on the each run of the script.
You will find this script and all my publicly available scripts at:
Don’t forget to check back there regularly for updates. Also, if you have any feedback or suggestion on this script or what you’d like to see me create, please let me know. I also maintain a large array of additional scripts via a paid subscription. More details of that can be found at www.ciaopspatron.com.