Microsoft.Entra.Reports-Help.xml
|
<?xml version="1.0" encoding="utf-8"?>
<helpItems schema="maml" xmlns="http://msh"> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Enable-EntraAzureADAlias</command:name> <command:verb>Enable</command:verb> <command:noun>EntraAzureADAlias</command:noun> <maml:description> <maml:para>Enables aliases for AzureAD commands.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>Enables Azure AD command aliases in the current PowerShell session.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Enable-EntraAzureADAlias</maml:name> </command:syntaxItem> </command:syntax> <command:parameters /> <command:inputTypes> <command:inputType> <dev:type> <maml:name>None</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>------------------ Example 1: Enable aliasing ------------------</maml:title> <dev:code>Enable-EntraAzureADAlias</dev:code> <dev:remarks> <maml:para>Enables all Azure AD prefixes for the current PowerShell session.</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>Online Version:</maml:linkText> <maml:uri>https://learn.microsoft.com/powershell/module/Microsoft.Entra.Reports/Enable-EntraAzureADAlias</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Get-EntraAuditDirectoryLog</command:name> <command:verb>Get</command:verb> <command:noun>EntraAuditDirectoryLog</command:noun> <maml:description> <maml:para>Get directory audit logs.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>The `Get-EntraAuditDirectoryLog` cmdlet gets a Microsoft Entra ID audit log.</maml:para> <maml:para>Retrieve audit logs from Microsoft Entra ID, covering logs from various services such as user, app, device, and group management, privileged identity management (PIM), access reviews, terms of use, identity protection, password management (SSPR and admin resets), and self-service group management.</maml:para> <maml:para>In delegated scenarios with work or school accounts, the signed-in user must have a supported Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation:</maml:para> <maml:para>- Reports Reader</maml:para> <maml:para>- Security Administrator</maml:para> <maml:para>- Security Reader</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-EntraAuditDirectoryLog</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>All</maml:name> <maml:description> <maml:para>List all pages.</maml:para> </maml:description> <dev:type> <maml:name>System.Management.Automation.SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="Limit"> <maml:name>Top</maml:name> <maml:description> <maml:para>The maximum number of records to return.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.Int32</command:parameterValue> <dev:type> <maml:name>System.Int32</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="none"> <maml:name>Filter</maml:name> <maml:description> <maml:para>The OData v4.0 filter statement. Controls which objects are returned.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Select"> <maml:name>Property</maml:name> <maml:description> <maml:para>Specifies properties to be returned</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String[]</command:parameterValue> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>All</maml:name> <maml:description> <maml:para>List all pages.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.Management.Automation.SwitchParameter</command:parameterValue> <dev:type> <maml:name>System.Management.Automation.SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="Limit"> <maml:name>Top</maml:name> <maml:description> <maml:para>The maximum number of records to return.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.Int32</command:parameterValue> <dev:type> <maml:name>System.Int32</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="none"> <maml:name>Filter</maml:name> <maml:description> <maml:para>The OData v4.0 filter statement. Controls which objects are returned.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Select"> <maml:name>Property</maml:name> <maml:description> <maml:para>Specifies properties to be returned</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String[]</command:parameterValue> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes /> <command:returnValues /> <maml:alertSet> <maml:alert> <maml:para>`Get-EntraAuditDirectoryLogs` is an alias for `Get-EntraAuditDirectoryLog`.</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>------------------- Example 1: Get all logs -------------------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All' Get-EntraAuditDirectoryLog -All Id ActivityDateTime ActivityDisplayName Category CorrelationId -- ---------------- ------------------- -------- ------------- Directory_aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 17/07/2024 08:55:34 Add service principal ApplicationManagement aaaa0000-bb11-2222-33cc-444444dddddd Directory_bbbbbbbb-1111-2222-3333-cccccccccccc 17/07/2024 07:31:54 Update user UserManagement bbbb1111-cc22-3333-44dd-555555eeeeee SSGM_cccccccc-2222-3333-4444-dddddddddddd 17/07/2024 07:13:08 GroupsODataV4_GetgroupLifecyclePolicies GroupManagement cccc2222-dd33-4444-55ee-666666ffffff</dev:code> <dev:remarks> <maml:para>This command gets all audit logs.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>--------- Example 2: List audit logs of group creation ---------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All' $groupId = (Get-EntraGroup -SearchString 'Woodgrove DevOps').Id Get-EntraAuditDirectoryLog -Filter " activityDisplayName eq 'Add group' and targetResources/any(r:r/id eq '$groupId')" Id ActivityDateTime ActivityDisplayName Category CorrelationId LoggedByService OperationType Result ResultReason -- ---------------- ------------------- -------- ------------- --------------- ------------- ------ ------------ Directory_aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 03/06/2025 22:22:17 Add group GroupManagement aaaa0000-bb11-2222-33cc-444444dddddd Core Directory Add success</dev:code> <dev:remarks> <maml:para>This command gets all audit logs of group creation.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>----- Example 3: Retrieve recent group creation audit logs -----</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All' Get-EntraAuditDirectoryLog -Filter "activityDisplayName eq 'Add group'" -Limit 5 | Select-Object id, activityDateTime, @{Name="InitiatedByUPN"; Expression={ $_.initiatedBy.user.userPrincipalName }}, result, @{Name="GroupDisplayName"; Expression={ $_.targetResources[0].displayName }} | Format-Table -AutoSize Id ActivityDateTime InitiatedByUPN Result GroupDisplayName -- ---------------- -------------- ------ ---------------- Directory_11111111-2222-3333-4444-555555555555 03/07/2025 18:30:45 admin@contoso.com success Woodgrove Developers Directory_aaaa0000-bb11-2222-33cc-444444dddddd 03/06/2025 22:22:17 user1@contoso.com success Woodgrove DevOps Directory_99999999-8888-7777-6666-555555555555 03/05/2025 15:10:12 admin2@contoso.com success Security Team</dev:code> <dev:remarks> <maml:para>This command retrieves recent group creation audit logs.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>- Example 4: Show user's updated authentication method details -</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All' $userId = (Get-EntraUser -UserId 'sawyerM@contoso.com').Id Get-EntraAuditDirectoryLog -Filter "category eq 'UserManagement' and LoggedByService eq 'Authentication Methods' and targetResources/any(r:r/id eq '$userId')" Id ActivityDateTime ActivityDisplayName Category CorrelationId LoggedByService OperationType Result ResultReason -- ---------------- ------------------- -------- ------------- --------------- ------------- ------ ------------ Authentication Methods_{GUID} 02/17/2025 13:20:08 User registered security info UserManagement aaaa0000-bb11-2222-33cc-444444dddddd Authentication Methods ServiceApi success User registered Fido2 Authentication Method Authentication Methods_{GUID} 02/17/2025 13:19:57 Get passkey creation options UserManagement bbbb1111-cc22-3333-44dd-555555eeeeee Authentication Methods ServiceApi success Successfully retrieved passkey creation options. Authentication Methods_{GUID} 02/15/2025 17:38:02 User registered security info UserManagement cccc2222-dd33-4444-55ee-666666ffffff Authentication Methods ServiceApi success User registered temporary access pass method</dev:code> <dev:remarks> <maml:para>This command retrieves user's updated authentication method details.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------- Example 5: List quarantined provisioning jobs --------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All' Get-EntraAuditDirectoryLog -Filter "activityDisplayName eq 'Quarantine'" -Limit 1 | Select-Object Id, ActivityDateTime, ActivityDisplayName, Category, LoggedByService, Result, ResultReason, @{Name="InitiatedByDisplayName"; Expression={ $_.targetResources[0].displayName }} id : Sync_{GUID} activityDateTime : 02/14/2025 04:23:38 activityDisplayName : Quarantine category : ProvisioningManagement loggedByService : Account Provisioning result : failure resultReason : This run profile is being quarantined because of: EncounteredQuarantineException; Error: Your ServiceNow credentials are invalid. Please obtain valid ServiceNow credentials, navigate to your ServiceNow enterprise application in the Azure Portal, and ente r those details in the admin credentials section of the provisioning configuration page. For directions on how to input credentials into your application, review the tutorial specific to ServiceNow found here: https://docs.microsoft.com/en-us/azure/activ e-directory/saas-apps/servicenow-provisioning-tutorial InitiatedByDisplayName : ServiceNow</dev:code> <dev:remarks> <maml:para>This command retrieves quarantined provisioning jobs.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>----------------- Example 6: Get first n logs -----------------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All' Get-EntraAuditDirectoryLog -Top 1 Id ActivityDateTime ActivityDisplayName Category CorrelationId LoggedB yServic e -- ---------------- ------------------- -------- ------------- ------- Directory_aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb_8IAPT_617717139 17/07/2024 08:55:34 Add service principal ApplicationManagement aaaa0000-bb11-2222-33cc-444444dddddd Core...</dev:code> <dev:remarks> <maml:para>This example returns the first N logs. You can use `-Limit` as an alias for `-Top`.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>Example 7: Get audit logs containing a given ActivityDisplayName</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All' Get-EntraAuditDirectoryLog -Filter "ActivityDisplayName eq 'Update rollout policy of feature'" -Top 1 Id ActivityDateTime ActivityDisplayName Category CorrelationId -- ---------------- ------------------- -------- ------------- Application Proxy_aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 16/07/2024 05:13:49 Update rollout policy of feature Authentication aaaa0000-bb11-2222-33cc-444444dddddd</dev:code> <dev:remarks> <maml:para>This command shows how to get audit logs by ActivityDisplayName. You can use `-Limit` as an alias for `-Top`.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>------ Example 8: Get all audit logs with a given result ------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All' Get-EntraAuditDirectoryLog -Filter "result eq 'failure'" -All</dev:code> <dev:remarks> <maml:para>This command shows how to get audit logs by the result.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>------- Example 9: Show when users were added to a group -------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All' $groupId = (Get-EntraGroup -SearchString 'Contoso Group').Id Get-EntraAuditDirectoryLog -Filter " activityDisplayName eq 'Add member to group' and targetResources/any(r:r/type eq 'User') and targetResources/any(r:r/id eq '$groupId' and r/type eq 'Group')" Id ActivityDateTime ActivityDisplayName Category CorrelationId LoggedByService OperationType Result ResultReason -- ---------------- ------------------- -------- ------------- --------------- ------------- ------ ------------ Directory_{GUID} 03/07/2025 23:16:31 Add member to group GroupManagement aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb Core Directory Assign success</dev:code> <dev:remarks> <maml:para>This command shows when users were added to a group.</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>Online Version:</maml:linkText> <maml:uri>https://learn.microsoft.com/powershell/module/Microsoft.Entra/Get-EntraAuditDirectoryLog</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Get-EntraAuditSignInLog</command:name> <command:verb>Get</command:verb> <command:noun>EntraAuditSignInLog</command:noun> <maml:description> <maml:para>Get audit logs of sign-ins.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>The `Get-EntraAuditSignInLog` cmdlet gets the Microsoft Entra ID sign-in log.</maml:para> <maml:para>In addition to delegated permissions, the signed-in user must belong to at least one of the following Microsoft Entra roles to read sign-in reports:</maml:para> <maml:para>- Global Reader</maml:para> <maml:para>- Reports Reader</maml:para> <maml:para>- Security Administrator</maml:para> <maml:para>- Security Operator</maml:para> <maml:para>- Security Reader</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-EntraAuditSignInLog</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Id"> <maml:name>SignInId</maml:name> <maml:description> <maml:para>Specifies unique ID of the Audit Log.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>All</maml:name> <maml:description> <maml:para>List all pages.</maml:para> </maml:description> <dev:type> <maml:name>System.Management.Automation.SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="Limit"> <maml:name>Top</maml:name> <maml:description> <maml:para>The maximum number of records to return.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.Int32</command:parameterValue> <dev:type> <maml:name>System.Int32</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="none"> <maml:name>Filter</maml:name> <maml:description> <maml:para>The OData v4.0 filter statement. Controls which objects are returned.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Select"> <maml:name>Property</maml:name> <maml:description> <maml:para>Specifies properties to be returned</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String[]</command:parameterValue> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Id"> <maml:name>SignInId</maml:name> <maml:description> <maml:para>Specifies unique ID of the Audit Log.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>All</maml:name> <maml:description> <maml:para>List all pages.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.Management.Automation.SwitchParameter</command:parameterValue> <dev:type> <maml:name>System.Management.Automation.SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="Limit"> <maml:name>Top</maml:name> <maml:description> <maml:para>The maximum number of records to return.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.Int32</command:parameterValue> <dev:type> <maml:name>System.Int32</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="none"> <maml:name>Filter</maml:name> <maml:description> <maml:para>The OData v4.0 filter statement. Controls which objects are returned.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Select"> <maml:name>Property</maml:name> <maml:description> <maml:para>Specifies properties to be returned</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String[]</command:parameterValue> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes /> <command:returnValues /> <maml:alertSet> <maml:alert> <maml:para>`Get-EntraAuditSignInLogs` is an alias for `Get-EntraAuditSignInLog`.</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>------------------- Example 1: Get all logs -------------------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All' Get-EntraAuditSignInLog -All Id AppDisplayName AppId AppTokenProtectionStatus AuthenticationMethodsUsed AuthenticationProtocol -- -------------- ----- ------------------------ ------------------------- ---------------------- aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb Azure Active Directory PowerShell 00001111-aaaa-2222-bbbb-3333cccc4444 {} none bbbbbbbb-1111-2222-3333-cccccccccccc Azure Portal 11112222-bbbb-3333-cccc-4444dddd5555 {} none cccccccc-2222-3333-4444-dddddddddddd Azure Active Directory PowerShell 22223333-cccc-4444-dddd-5555eeee6666 {} none dddddddd-3333-4444-5555-eeeeeeeeeeee Azure Active Directory PowerShell 33334444-dddd-5555-eeee-6666ffff7777 {} none</dev:code> <dev:remarks> <maml:para>This example returns all audit logs of sign-ins.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>- Example 2: List sign-ins failing Conditional Access policies -</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All' Get-EntraAuditSignInLog -Filter "conditionalAccessStatus eq 'failure'" -Limit 10 | Select-Object id, userDisplayName, createdDateTime, appDisplayName, status id : aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb userDisplayName : Saywer Miller createdDateTime : 03/08/2025 04:03:14 appDisplayName : Microsoft Edge status : @{errorCode=50158; failureReason=External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges.; additionalDetails=The user is required to satisfy additional require ments before finishing authentication, and was redirected to another page (such as terms of use or a third party MFA provider). This code alone does not indicate a failure on your users part to sign in. The sign in logs may indicate that this challenge was succ esfully passed or failed.}</dev:code> <dev:remarks> <maml:para>This example returns all audit logs of sign-ins failing Conditional Access policies.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>----- Example 3: List sign-ins from non-compliant devices -----</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All' Get-EntraAuditSignInLog -Filter "deviceDetail/isCompliant eq false" -Top 1 | Select-Object id, userDisplayName, appDisplayName, clientAppUsed, conditionalAccessStatus, deviceDetail, status id : aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb userDisplayName : Sawyer Miller appDisplayName : Security Copilot clientAppUsed : Browser conditionalAccessStatus : success deviceDetail : @{operatingSystem=Windows10; trustType=Azure AD registered; 22223333-cccc-4444-dddd-5555eeee6666; isCompliant=False; isManaged=False; browser=Edge 133.0.0; displayName=devbox} status : @{errorCode=50011; failureReason=The {redirectTerm} '{replyAddress}' specified in the request does not match the {redirectTerm}s configured for the application '{identifier}'. Make sure the {redirectTerm} sent in the request matches one added to your ap plication in the Azure portal. Navigate to {akamsLink} to learn more about how to fix this. {detail}; additionalDetails=Developer error - the app is attempting to sign in without the necessary or correct authentication parameters.}</dev:code> <dev:remarks> <maml:para>This example returns all audit logs of sign-ins from non-compliant devices.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>Example 4: List sign-in failures due to a specific Conditional Access policy</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All' $policyId = "dcf66a39-965f-4958-871f-f62613b6cabd" Get-EntraAuditSignInLog -Filter " conditionalAccessStatus eq 'failure' and appliedConditionalAccessPolicies/any(c:c/id eq '$policyId' and c/result eq 'failure')" -Limit 1 | Select-Object id, userDisplayName, appDisplayName, clientAppUsed, conditionalAccessStatus, status, appliedConditionalAccessPolicies id : aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb userDisplayName : ASawyer Miller appDisplayName : Azure Portal clientAppUsed : Browser conditionalAccessStatus : failure status : @{errorCode=50158; failureReason=External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges.; additionalDetails=The user is required to satisfy a dditional requirements before finishing authentication, and was redirected to another page (such as terms of use or a third party MFA provider). This code alone does not indicate a failure on your users part to sign in. The sign in logs may ind icate that this challenge was succesfully passed or failed.} appliedConditionalAccessPolicies : {@{id=22223333-cccc-4444-dddd-5555eeee6666; enforcedSessionControls=System.Object[]; displayName=CAX - All Contoso (and Guest) Users; result=failure; enforcedGrantControls=System.Object[]}, @{id=00001111-aaaa-2222-bbbb-3333cccc4444; enf orcedSessionControls=System.Object[]; displayName=CA01 - MFA - All Apps - All Users; result=success; enforcedGrantControls=System.Object[]}, @{id=22223333-cccc-4444-dddd-5555eeee6666; enforcedSessionControl s=System.Object[]; displayName=CA001 - Require Passwordless Auth and TAP - All Users; result=success; enforcedGrantControls=System.Object[]}, @{id=33334444-dddd-5555-eeee-6666ffff7777; enforcedSessionControls=System.Object[]; displayName=CA14 - Require MFA for VPN Access; result=notApplied; enforcedGrantControls=System.Object[]}…}</dev:code> <dev:remarks> <maml:para>This example returns all audit logs of sign-ins failures due to a specific Conditional Access policy.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>---------------- Example 5: List risky sign-ins ----------------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All' Get-EntraAuditSignInLog -Filter " (riskLevelDuringSignIn ne 'none' or riskEventTypes_v2/any(r:r ne 'none')) " -Limit 1 | Select-Object id, userDisplayName, appDisplayName, clientAppUsed, riskLevelDuringSignIn, riskEventTypes_v2 id : aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb userDisplayName : Sawyer Miller appDisplayName : Security Copilot clientAppUsed : Browser riskLevelDuringSignIn : low riskEventTypes_v2 : {unfamiliarFeatures}</dev:code> <dev:remarks> <maml:para>This example returns all audit logs of risky sign-ins.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------- Example 6: Get the first two logs --------------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All' Get-EntraAuditSignInLog -Top 2 Id AppDisplayName AppId AppTokenProtectionStatus AuthenticationMethodsUsed AuthenticationProtocol -- -------------- ----- ------------------------ ------------------------- ---------------------- aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb Azure Active Directory PowerShell 00001111-aaaa-2222-bbbb-3333cccc4444 {} none bbbbbbbb-1111-2222-3333-cccccccccccc Azure Portal 11112222-bbbb-3333-cccc-4444dddd5555 {} none</dev:code> <dev:remarks> <maml:para>This example returns the first two audit logs of sign-ins. You can use `-Limit` as an alias for `-Top`.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>- Example 7: Get audit logs containing a given AppDisplayName -</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All' Get-EntraAuditSignInLog -Filter "AppDisplayName eq 'Graph Explorer'" -Top 1 Id AppDisplayName AppId AppTokenProtectionStatus AuthenticationMethodsUsed AuthenticationProtocol -- -------------- ----- ------------------------ ------------------------- ---------------------- aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb Graph Explorer PowerShell 00001111-aaaa-2222-bbbb-3333cccc4444</dev:code> <dev:remarks> <maml:para>This example demonstrates how to retrieve sign-in logs by AppDisplayName. You can use `-Limit` as an alias for `-Top`.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------- Example 8: Get all sign-in logs between dates --------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All' Get-EntraAuditSignInLog -Filter "createdDateTime ge 2024-07-01T00:00:00Z and createdDateTime le 2024-07-14T23:59:59Z"</dev:code> <dev:remarks> <maml:para>This example shows how to retrieve sign-in logs between dates.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>---------- Example 9: List failed sign-ins for a user ----------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All' $failedSignIns = Get-EntraAuditSignInLog -Filter "userPrincipalName eq 'SawyerM@contoso.com' and status/errorCode ne 0" $failedSignIns | Select-Object UserPrincipalName, CreatedDateTime, Status, IpAddress, ClientAppUsed | Format-Table -AutoSize</dev:code> <dev:remarks> <maml:para>This example demonstrates how to retrieve failed sign-ins for a user.</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>Online Version:</maml:linkText> <maml:uri>https://learn.microsoft.com/powershell/module/Microsoft.Entra/Get-EntraAuditSignInLog</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Get-EntraAuthenticationMethodUserRegistrationDetailReport</command:name> <command:verb>Get</command:verb> <command:noun>EntraAuthenticationMethodUserRegistrationDetailReport</command:noun> <maml:description> <maml:para>List the user's registered authentication methods.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>The `Get-EntraAuthenticationMethodUserRegistrationDetailReport` cmdlet lists the user's registered authentication methods from the `userRegistrationDetails` object. This method doesn't work for disabled accounts (user accounts).</maml:para> <maml:para>In delegated scenarios with work or school accounts, when acting on another user, the signed-in user must have a supported Microsoft Entra role or a custom role with the necessary permissions. The following least privileged roles support this operation:</maml:para> <maml:para>- Reports Reader</maml:para> <maml:para>- Security Reader</maml:para> <maml:para>- Security Administrator</maml:para> <maml:para>- Global Reader</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-EntraAuthenticationMethodUserRegistrationDetailReport</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="Id"> <maml:name>UserRegistrationDetailsId</maml:name> <maml:description> <maml:para>Specifies the user object identifier in Microsoft Entra ID.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Select"> <maml:name>Property</maml:name> <maml:description> <maml:para>Specifies properties to be returned.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String[]</command:parameterValue> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-EntraAuthenticationMethodUserRegistrationDetailReport</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Select"> <maml:name>Property</maml:name> <maml:description> <maml:para>Specifies properties to be returned.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String[]</command:parameterValue> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False (ByPropertyName, ByValue)" position="named" aliases="Limit"> <maml:name>Top</maml:name> <maml:description> <maml:para>Specifies the maximum number of records to return.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.Int32</command:parameterValue> <dev:type> <maml:name>System.Int32</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>All</maml:name> <maml:description> <maml:para>List all pages.</maml:para> </maml:description> <dev:type> <maml:name>System.Management.Automation.SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False (ByPropertyName, ByValue)" position="named" aliases="none"> <maml:name>Filter</maml:name> <maml:description> <maml:para>Specifies an OData v4.0 filter statement. This parameter filters which objects are returned.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False (ByPropertyName, ByValue)" position="named" aliases="SortBy, OrderBy"> <maml:name>Sort</maml:name> <maml:description> <maml:para>This parameter sorts the results by property.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="Id"> <maml:name>UserRegistrationDetailsId</maml:name> <maml:description> <maml:para>Specifies the user object identifier in Microsoft Entra ID.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="Select"> <maml:name>Property</maml:name> <maml:description> <maml:para>Specifies properties to be returned.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String[]</command:parameterValue> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False (ByPropertyName, ByValue)" position="named" aliases="Limit"> <maml:name>Top</maml:name> <maml:description> <maml:para>Specifies the maximum number of records to return.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.Int32</command:parameterValue> <dev:type> <maml:name>System.Int32</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>All</maml:name> <maml:description> <maml:para>List all pages.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.Management.Automation.SwitchParameter</command:parameterValue> <dev:type> <maml:name>System.Management.Automation.SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False (ByPropertyName, ByValue)" position="named" aliases="none"> <maml:name>Filter</maml:name> <maml:description> <maml:para>Specifies an OData v4.0 filter statement. This parameter filters which objects are returned.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False (ByPropertyName, ByValue)" position="named" aliases="SortBy, OrderBy"> <maml:name>Sort</maml:name> <maml:description> <maml:para>This parameter sorts the results by property.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">System.String</command:parameterValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes /> <command:returnValues> <command:returnValue> <dev:type> <maml:name>isAdmin (Boolean)</maml:name> </dev:type> <maml:description> <maml:para>Shows whether the user has an admin role in the tenant. Use it to check which authentication methods privileged accounts register and use.</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>isMfaCapable (Boolean)</maml:name> </dev:type> <maml:description> <maml:para>Indicates that the user uses a strong MFA method allowed by the authentication methods policy. Supports `$filter (eq)`.</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>isMfaRegistered (Boolean)</maml:name> </dev:type> <maml:description> <maml:para>Indicates whether the user registers a strong MFA method, even if the authentication methods policy doesn't allow it. Supports `$filter (eq)`.</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>isPasswordlessCapable (Boolean)</maml:name> </dev:type> <maml:description> <maml:para>Shows if the user registers a passwordless strong authentication method—like FIDO2, Windows Hello for Business, or Microsoft Authenticator—that the policy allows. Supports `$filter (eq)`.</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>isSsprCapable (Boolean)</maml:name> </dev:type> <maml:description> <maml:para>Shows if the user has registered enough methods and is allowed to use self-service password reset based on policy. Supports `$filter (eq)`.</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>isSsprEnabled (Boolean)</maml:name> </dev:type> <maml:description> <maml:para>Shows if the user is allowed to use self-service password reset by policy, even if they haven’t registered enough authentication methods. Supports `$filter (eq)`.</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>isSsprRegistered (Boolean)</maml:name> </dev:type> <maml:description> <maml:para>Shows if the user registers enough authentication methods for self-service password reset, even if the policy doesn't allow them to use it. Supports `$filter (eq)`.</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>isSystemPreferredAuthenticationMethodEnabled (Boolean)</maml:name> </dev:type> <maml:description> <maml:para>Shows if system-preferred authentication is on. When enabled, the system selects the most secure method from the ones the user registers. Supports `$filter (eq)`.</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>lastUpdatedDateTime (DateTimeOffset)</maml:name> </dev:type> <maml:description> <maml:para>The date and time (in UTC) when the report was last updated, in ISO 8601 format. For example, midnight UTC on Jan 1, 2014 is shown as `2014-01-01T00:00:00Z`.</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>methodsRegistered (String collection)</maml:name> </dev:type> <maml:description> <maml:para>List of registered authentication methods, like mobilePhone, email, or passKeyDeviceBound. Supports `$filter` with `any` and `eq`.</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>systemPreferredAuthenticationMethods (String collection)</maml:name> </dev:type> <maml:description> <maml:para>List of the most secure second-factor authentication methods chosen by the system from the user's registered methods. Values include: push, oath, voiceMobile, voiceAlternateMobile, voiceOffice, sms, none. Supports `$filter` with `any` and `eq`.</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>userDisplayName (String)</maml:name> </dev:type> <maml:description> <maml:para>The user's display name, like "Sawyer Miller." Supports `$filter` (`eq`, `startsWith`) and `$orderby`.</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>userPreferredMethodForSecondaryAuthentication (userDefaultAuthenticationMethod)</maml:name> </dev:type> <maml:description> <maml:para>The user's chosen default method for second-factor authentication. Options include: push, oath, voiceMobile, voiceAlternateMobile, voiceOffice, sms, none. Used as the preferred MFA method when system-preferred authentication is off. Supports `$filter` with `any` and `eq`.</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>userPrincipalName (String)</maml:name> </dev:type> <maml:description> <maml:para>The user's sign-in name, like SawyerM@contoso.com. Supports `$filter` (`eq`, `startsWith`) and `$orderby`.</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name>userType (signInUserType)</maml:name> </dev:type> <maml:description> <maml:para>Shows if the user is a member or guest in the tenant. Values: member, guest.</maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para>`Get-EntraAuthMethodUserRegistrationDetailReport` is an alias for `Get-EntraAuthenticationMethodUserRegistrationDetailReport`.</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>- Example 1: Get all user's registered authentication methods -</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All' Get-EntraAuthenticationMethodUserRegistrationDetailReport -All | Format-Table -AutoSize Id IsAdmin IsMfaCapable IsMfaRegistered IsPasswordlessCapable IsSsprCapable -- ------- ------------ --------------- --------------------- ------------- aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb True False False False True bbbbbbbb-1111-2222-3333-cccccccccccc False False False False False cccccccc-2222-3333-4444-dddddddddddd False False False False False dddddddd-3333-4444-5555-eeeeeeeeeeee False False False False False</dev:code> <dev:remarks> <maml:para>This example demonstrates how to retrieve all the user's registered authentication methods.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>Example 2: Get user's registered authentication methods by UserRegistrationDetailsId</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All' Get-EntraAuthenticationMethodUserRegistrationDetailReport -UserRegistrationDetailsId 'aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb' | Format-Table -AutoSize isMfaRegistered : False @odata.context : https://graph.microsoft.com/v1.0/$metadata#reports/authenticationMethods/userRegistrationDetails(*)/$entity userPrincipalName : sawyermiller@contoso.com isSystemPreferredAuthenticationMethodEnabled : True id : aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb isSsprRegistered : False isSsprEnabled : False userDisplayName : Sawyer Miller lastUpdatedDateTime : 3/16/2025 7:55:54 AM userType : member isAdmin : False methodsRegistered : {} systemPreferredAuthenticationMethods : {} userPreferredMethodForSecondaryAuthentication : none isPasswordlessCapable : False isSsprCapable : False isMfaCapable : False</dev:code> <dev:remarks> <maml:para>This example shows how to retrieve a specific user's registered authentication methods by `UserRegistrationDetailsId`.</maml:para> <maml:para>- `-UserRegistrationDetailsId` parameter specifies the user's registered authentication methods.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>Example 3: Get user's registered authentication methods with filtering</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All' Get-EntraAuthenticationMethodUserRegistrationDetailReport -Filter "userType eq 'member'" | Format-Table -AutoSize Id IsAdmin IsMfaCapable IsMfaRegistered IsPasswordlessCapable IsSsprCapable -- ------- ------------ --------------- --------------------- ------------- aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb True False False False True bbbbbbbb-1111-2222-3333-cccccccccccc False False False False False cccccccc-2222-3333-4444-dddddddddddd False False False False False dddddddd-3333-4444-5555-eeeeeeeeeeee False False False False False</dev:code> <dev:remarks> <maml:para>This example demonstrates how to retrieve a user's registered authentication methods with filtering `userType` property.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>Example 4: Retrieve user's registered authentication methods properties</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All' Get-EntraAuthenticationMethodUserRegistrationDetailReport -Property id, userDisplayName, userType, isMfaRegistered, isPasswordlessCapable | Format-Table -AutoSize Id UserDisplayName UserType IsMfaRegistered IsPasswordlessCapable -- --------------- -------- ---------------- --------------------- cccccccc-2222-3333-4444-dddddddddddd Angel Brown member True False dddddddd-3333-4444-5555-eeeeeeeeeeee Alex Wilber member False False eeeeeeee-4444-5555-6666-ffffffffffff Avery Smith member False False bbbbbbbb-1111-2222-3333-cccccccccccc Christie Cline member False False aaaaaaaa-bbbb-cccc-1111-222222222222 Patti Fernandez member False False</dev:code> <dev:remarks> <maml:para>This example demonstrates how to retrieve a user's registered authentication methods. You can use `-Select` as an alias for `-Property`.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>Example 5: Get a list of recently updated user's registered authentication methods details using 'sort'</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All' Get-EntraAuthenticationMethodUserRegistrationDetailReport -All -Sort 'lastUpdatedDateTime desc' -Limit 4 | Format-Table -AutoSize Id IsAdmin IsMfaCapable IsMfaRegistered IsPasswordlessCapable IsSsprCapable -- ------- ------------ --------------- --------------------- ------------- aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb True False False False True</dev:code> <dev:remarks> <maml:para>This example shows how to get one detail about the user's registered authentication methods. You can use `-OrderBy` or `-SortBy` as an alias for `-Sort`.</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>---------------- Example 6: Get a single result ----------------</maml:title> <dev:code>Connect-Entra -Scopes 'AuditLog.Read.All' Get-EntraAuthenticationMethodUserRegistrationDetailReport -Top 1 | Format-Table -AutoSize Id IsAdmin IsMfaCapable IsMfaRegistered IsPasswordlessCapable IsSsprCapable -- ------- ------------ --------------- --------------------- ------------- aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb True False False False True</dev:code> <dev:remarks> <maml:para>This example shows how to get one detail about the user's registered authentication methods. You can use `-Limit` as an alias for `-Top`.</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>Online Version:</maml:linkText> <maml:uri>https://learn.microsoft.com/powershell/module/Microsoft.Entra/Get-EntraAuthenticationMethodUserRegistrationDetailReport</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> </helpItems> |