I’m a bit late to the party due to the holiday season, but this is important enough to cover even with delay. The Azure AD auditing and activity logging functionality was announced almost a year back on the AD team blog. The reports were however only available via the Azure portal, so while they provided a very useful and much, much needed information, we have been patiently waiting on the APIs that allow for programmatic access to them.
I won’t go in much details on how to actually access the reports, as the blog post and the Azure documentation covers this in details. It’s simple enough – create a custom web app and grant it read access to your Azure AD data, then use the REST APIs to authenticate to it via OAuth and get the reports. Here’s a little bonus for reading the post however – the signInsFromMultipleGeographiesEvents report allows you to actually obtain the IP address from which the login attempt was made, something that is *not* exposed in the same report when using the Azure portal. It’s added as the last part of the Id value, here’s an example:
$myReport = (Invoke-WebRequest -Headers $headerParams -Uri https://graph.windows.net/$tenantdomain/reports/signInsFromMultipleGeographiesEvents?api-version=beta) ($myReport.Content | ConvertFrom-Json).value
firstSignInFrom : Grenoble, Isere, FR secondSignInFrom : Troitsa, Shumen, BG timeOfSecondSignIn : 2015-06-25T06:59:53Z timeBetweenSignIns : 00:10:36 estimatedTravelHours : 3 id : 2015-06-25T06:59:53.0000000923712ba-352a-4eda-bece-09d0684d0cfb10030000877FCB3395.251.6.115 displayName : Vasil Michev userName : xxx@michev.info firstSignInFrom : Troitsa, Shumen, BG secondSignInFrom : Grenoble, Isere, FR timeOfSecondSignIn : 2015-06-25T06:46:45Z timeBetweenSignIns : 00:33:46 estimatedTravelHours : 3 id : 2015-06-25T06:46:45.0000000923712ba-352a-4eda-bece-09d0684d0cfb10030000877FCB3315.203.169.123 displayName : Vasil Michev userName : xxx@michev.info
To get the IP information:
($myReport.Content | ConvertFrom-Json).value | select Id,@{n="IP";e={$_.Id.Split("-")[-1][28..50] -join ""}}
Id IP -- -- 2015-06-25T06:59:53.0000000923712ba-352a-4eda-bece-09d0684d0cfb10030000877FCB3395.111.6.187 95.251.6.115 2015-06-25T06:46:45.0000000923712ba-352a-4eda-bece-09d0684d0cfb10030000877FCB3315.203.169.123 15.203.169.123
With the APIs now available, it will not take long for the vital data in those reports to be incorporated in different security and monitoring suites. This will undoubtedly be a great benefit for every O365 enterprise customer. And they will be even happier if/when the User activity reports is integrated as well, which is probably my only concern with this Preview.