How to use Get-MgAuditLogSignIn in Powershell

James Futhey -

Tracking sign-in activity is essential for security and compliance, and that’s where the Get-MgAuditLogSignIn cmdlet comes in.

Whether you’re investigating failed login attempts, checking who accessed a specific app, or monitoring unusual activity, this PowerShell command lets you pull detailed sign-in logs from Microsoft Entra.

In this guide, we’ll cover everything you need to know—from what the cmdlet does to how to use it effectively and troubleshoot any issues.

What is Get-MgAuditLogSignIn in PowerShell?

Get-MgAuditLogSignIn is a PowerShell cmdlet from the Microsoft Graph PowerShell SDK. It retrieves Azure AD (now Entra ID) sign-in logs, providing details on user and application sign-in activity within an organization.

The command captures interactive logins, where credentials are entered, as well as successful federated sign-ins. This cmdlet is useful for IT admins and security teams who need to monitor authentication activity, investigate suspicious logins, or audit access patterns.

Here’s the syntax of Get-MgAuditLogSignIn:

Get-MgAuditLogSignIn

   [-ExpandProperty <String[]>]

   [-Property <String[]>]

   [-Filter <String>]

   [-Search <String>]

   [-Skip <Int32>]

   [-Sort <String[]>]

   [-Top <Int32>]

   [-ResponseHeadersVariable <String>]

   [-Headers <IDictionary>]

   [-PageSize <Int32>]

   [-All]

   [-CountVariable <String>]

   [-ProgressAction <ActionPreference>]

   [<CommonParameters>]

What Can You Do with The Get-MgAuditLogSignIn Cmdlet?

The Get-MgAuditLogSignIn cmdlet is a powerful tool when used correctly. Let’s take a look at three things you can do with it:

  • Monitor Login Activity: You can retrieve a complete list of sign-ins across your tenant to see when and where users are logging in. This helps with general monitoring and understanding of usage patterns.
  • Investigate Suspicious Sign-Ins: If you suspect unauthorized access, you can filter sign-in logs by user, app or IP address to spot unusual activity, such as logins from unexpected locations or failed authentication attempts.
  • Audit Application Access: By filtering sign-in events by application name, you can track which apps users are accessing the most. This is useful for reviewing security policies, identifying underused apps or ensuring compliance with company policies.

Prerequisites for Using Get-MgAuditLogSignIn

Before you can start using the Get-MgAuditLogSignIn cmdlet, you need to have a few things in place:

  • Microsoft Graph PowerShell Module: This cmdlet is part of the Microsoft.Graph.Reports module, so you’ll need to install and import the Microsoft Graph PowerShell SDK if you haven’t already.
  • Proper Permissions: This command requires an application-level permission, specifically AuditLog.Read.All or Directory.Read.All. Delegated permissions (for individual users) aren’t supported, meaning you’ll need an app registration in Entra ID with the right API permissions.
  • Admin Access: Since this cmdlet retrieves sensitive sign-in data, you must be a Global Administrator, Security Administrator or hold another role with the necessary audit log access. Without the right role, even having permissions won’t be enough to run it.

Once you meet these requirements, you’ll be able to query sign-in logs and analyze authentication events across your organization.

How to Use The Get-MgAuditLogSignIn Command: A Step-by-Step Guide

Now that you know what you can use Get-MgAuditLogSignIn for, let’s learn how to use it in just four quick steps!

Step 1: Connect to Microsoft Graph PowerShell

Before running any Microsoft Graph PowerShell commands, you need to establish a connection. Open PowerShell and run this command:

Connect-MgGraph -Scopes "AuditLog.Read.All"

This command prompts you to sign in with an account that has the necessary permissions.

Make sure your account has either AuditLog.Read.All or Directory.Read.All permissions, as delegated access isn’t supported for this cmdlet.

Step 2: Retrieve All Sign-In Logs With Get-MgAuditLogSignIn

Once connected, you can fetch all sign-in records with a simple command:

Get-MgAuditLogSignIn

This returns a complete list of user sign-ins, showing who signed in, from where, and using which authentication method. If your organization has a lot of sign-in activity, this list might be overwhelming, so you’ll likely want to filter it.

Step 3: Filter Results to Find Relevant Sign-Ins

To narrow the results (if needed), you can use filters. For example, to see only sign-ins related to applications whose names start with "Graph," use:

Get-MgAuditLogSignIn -Filter "startsWith(appDisplayName,'Graph')" -Top 10

You can also filter by user, IP address, or authentication type. For instance, to check sign-ins for a specific user, you’d run:

Get-MgAuditLogSignIn -Filter "userPrincipalName eq 'user@meetingroom365.com'"

This is useful when investigating login issues, tracking access to specific applications or identifying potential security concerns.

Step 4: Export Sign-In Logs for Further Analysis

If you need to review sign-in data later or share it with your security team, exporting the results to a CSV file is a good option. You can do this by running:

Get-MgAuditLogSignIn | Export-Csv -Path "C:\SignInLogs.csv" -NoTypeInformation

This saves the log data to a CSV file that you can open in Excel for deeper analysis. You can also apply sorting and filtering options within PowerShell before exporting to refine your dataset.

Troubleshooting: What to Do If Get-MgAuditLogSignIn Doesn’t Work

If Get-MgAuditLogSignIn isn’t returning results or throwing errors, don’t worry—there are a few common reasons why this might happen. Here’s how to troubleshoot and fix the issue.

  1. Check Your Microsoft Graph Connection: Run Get-MgContext to verify that you're connected. If it returns nothing or an error, you’re not signed in. Use Connect-MgGraph -Scopes "AuditLog.Read.All" to establish a connection, and make sure you’re using an account with access to audit logs.
  2. Verify Your Permissions: This cmdlet requires AuditLog.Read.All or Directory.Read.All permissions, and delegated permissions won’t work. To check if your account has the right level of access, run Get-MgUser | Select DisplayName,UserPrincipalName,AssignedLicenses. If you don’t see an admin role or the necessary license, ask your IT administrator to assign the correct permissions.
  3. Ensure Sign-In Logs Are Available: If the command runs but returns no data, there might not be any sign-in logs within the timeframe you specified. Microsoft Entra retains logs for 30 days by default.

Maximizing Sign-In Visibility with Get-MgAuditLogSignIn

The Get-MgAuditLogSignIn cmdlet is a powerful tool for keeping track of sign-in activity in your Microsoft Entra environment.

Whether you're monitoring access for security purposes, troubleshooting login failures, or analyzing trends, this command gives you the visibility you need.

By setting up correctly, using the proper filters, and troubleshooting issues effectively, you can maximize the value of this cmdlet and maintain control over your organization's authentication data.