Azure AD reporting APIs are now available

I’m a bit late to the party due to the holiday season, but this is important enough to cover even with delay. ​The Azure AD auditing and activity logging functionality was announced almost a year back on the AD team blog. The reports were however only available via the Azure portal, so while they provided a very useful and much, much needed information, we have been patiently waiting on the APIs that allow for programmatic access to them.

I won’t go in much details on how to actually access the reports, as the blog post and the Azure documentation covers this in details. It’s simple enough – create a custom web app and grant it read access to your Azure AD data, then use the REST APIs to authenticate to it via OAuth and get the reports. Here’s a little bonus for reading the post however – the signInsFromMultipleGeographiesEvents report allows you to actually obtain the IP address from which the login attempt was made, something that is *not* exposed in the same report when using the Azure portal. It’s added as the last part of the Id value, here’s an example:

$myReport = (Invoke-WebRequest -Headers $headerParams -Uri https://graph.windows.net/$tenantdomain/reports/signInsFromMultipleGeographiesEvents?api-version=beta)

($myReport.Content | ConvertFrom-Json).value

firstSignInFrom : Grenoble, Isere, FR
secondSignInFrom : Troitsa, Shumen, BG
timeOfSecondSignIn : 2015-06-25T06:59:53Z
timeBetweenSignIns : 00:10:36
estimatedTravelHours : 3
id : 2015-06-25T06:59:53.0000000923712ba-352a-4eda-bece-09d0684d0cfb10030000877FCB3395.251.6.115
displayName : Vasil Michev
userName : xxx@michev.info


firstSignInFrom : Troitsa, Shumen, BG
secondSignInFrom : Grenoble, Isere, FR
timeOfSecondSignIn : 2015-06-25T06:46:45Z
timeBetweenSignIns : 00:33:46
estimatedTravelHours : 3
id : 2015-06-25T06:46:45.0000000923712ba-352a-4eda-bece-09d0684d0cfb10030000877FCB3315.203.169.123
displayName : Vasil Michev
userName : xxx@michev.info

To get the IP information:

($myReport.Content | ConvertFrom-Json).value | select Id,@{n="IP";e={$_.Id.Split("-")[-1][28..50] -join ""}}

Id IP
— —
2015-06-25T06:59:53.0000000923712ba-352a-4eda-bece-09d0684d0cfb10030000877FCB3395.111.6.187 95.251.6.115
2015-06-25T06:46:45.0000000923712ba-352a-4eda-bece-09d0684d0cfb10030000877FCB3315.203.169.123 15.203.169.123

With the APIs now available, it will not take long for the vital data in those reports to be incorporated in different security and monitoring suites. This will undoubtedly be a great benefit for every O365 enterprise customer. And they will be even happier if/when the User activity reports is integrated as well, which is probably my only concern with this Preview.

This entry was posted in Azure AD, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *