Azure AD reporting APIs are now available

I’m a bit late to the party due to the holiday season, but this is important enough to cover even with delay. ​The Azure AD auditing and activity logging functionality was announced almost a year back on the AD team blog. The reports were however only available via the Azure portal, so while they provided a very useful and much, much needed information, we have been patiently waiting on the APIs that allow for programmatic access to them.

I won’t go in much details on how to actually access the reports, as the blog post and the Azure documentation covers this in details. It’s simple enough – create a custom web app and grant it read access to your Azure AD data, then use the REST APIs to authenticate to it via OAuth and get the reports. Here’s a little bonus for reading the post however – the signInsFromMultipleGeographiesEvents report allows you to actually obtain the IP address from which the login attempt was made, something that is *not* exposed in the same report when using the Azure portal. It’s added as the last part of the Id value, here’s an example:

$myReport = (Invoke-WebRequest -Headers $headerParams -Uri$tenantdomain/reports/signInsFromMultipleGeographiesEvents?api-version=beta)

($myReport.Content | ConvertFrom-Json).value

firstSignInFrom : Grenoble, Isere, FR
secondSignInFrom : Troitsa, Shumen, BG
timeOfSecondSignIn : 2015-06-25T06:59:53Z
timeBetweenSignIns : 00:10:36
estimatedTravelHours : 3
id : 2015-06-25T06:59:53.0000000923712ba-352a-4eda-bece-09d0684d0cfb10030000877FCB3395.251.6.115
displayName : Vasil Michev
userName :

firstSignInFrom : Troitsa, Shumen, BG
secondSignInFrom : Grenoble, Isere, FR
timeOfSecondSignIn : 2015-06-25T06:46:45Z
timeBetweenSignIns : 00:33:46
estimatedTravelHours : 3
id : 2015-06-25T06:46:45.0000000923712ba-352a-4eda-bece-09d0684d0cfb10030000877FCB3315.203.169.123
displayName : Vasil Michev
userName :

To get the IP information:

($myReport.Content | ConvertFrom-Json).value | select Id,@{n="IP";e={$_.Id.Split("-")[-1][28..50] -join ""}}

— —

With the APIs now available, it will not take long for the vital data in those reports to be incorporated in different security and monitoring suites. This will undoubtedly be a great benefit for every O365 enterprise customer. And they will be even happier if/when the User activity reports is integrated as well, which is probably my only concern with this Preview.

This entry was posted in Azure AD, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *