Azure Active Directory Audit Log
Use Get-ADAuditLogs to collect the contents of the Azure Active Directory Audit Log.
Note
This GraphAPI functionality is currently in beta. If you encounter any issues or have suggestions for improvements please let us know.
Usage
Running the script without any parameters will gather the Azure Active Directory Audit Log for the last 7 days (Entra ID Free) or 30 days (Entra ID P1+P2):
Get-ADAuditLogs
Get the Azure Active Directory Audit Log before 2023-04-12:
Get-ADAuditLogs -endDate 2023-04-12
Get the Azure Active Directory Audit Log after 2023-04-12:
Get-ADAuditLogs -startDate 2023-04-12
Parameters
- -startDate (optional)
startDate is the parameter specifying the start date of the date range. The time format supported is limited to yyyy-mm-dd only.
- -endDate (optional)
endDate is the parameter specifying the end date of the date range. The time format supported is limited to yyyy-mm-dd only.
- -OutputDir (optional)
OutputDir is the parameter specifying the output directory.
Default: OutputAzureAD
- -Encoding (optional)
Encoding is the parameter specifying the encoding of the JSON output file.
Default: UTF8
Output
The output will be saved to the ‘AzureAD’ directory within the ‘Output’ directory, with the file name ‘Auditlogs.json’. Each time an acquisition is performed, the output JSON file will be overwritten. Therefore, if you perform multiple acquisitions, the JSON file will only contain the results from the latest acquisition.