Get-AzureADAuditDirectoryLogs

Get directory audit logs

Syntax

Get-AzureADAuditDirectoryLogs
   [-All <Boolean>]
   [-Top <Int32>]
   [-Filter <String>]
   [<CommonParameters>]

Description

The Get-AzureADAuditDirectoryLogs cmdlet gets an Azure Active Directory audit log.

Examples

Example 1: Get audit logs after a certain date

PS C:\>Get-AzureADAuditDirectoryLogs -Filter "activityDateTime gt 2019-03-20"

This command gets all audit logs on or after 3/20/2019

Example 2: Get audit logs initiated by a user or application

PS C:\>Get-AzureADAuditDirectoryLogs -Filter "initiatedBy/user/userPrincipalName eq '[email protected]'"
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "initiatedBy/user/displayName eq 'Jean Niyomugabo'"
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "initiatedBy/app/appId eq 'de8bc8b5-d9f9-48b1-a8ad-b748da725064'"
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "initiatedBy/app/displayName eq 'myApp'"

These commands are different ways to get all audit logs for a certain user or application

Example 3: Get audit logs containing a given target resource

PS C:\>Get-AzureADAuditDirectoryLogs -Filter "targetResources/any(tr:tr/displayName eq 'Active Directory Example')"
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "targetResources/any(tr:tr/type eq 'ServicePrincipal')"

These commands show how to get audit logs by target resource display name or type

Example 4: Get all audit logs with a given result

PS C:\>Get-AzureADAuditDirectoryLogs -Filter "result eq 'success'"
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "result eq 'failure'" -All $true

These commands show how to get audit logs by result

Parameters

-All

Boolean to express that return all results from the server for the specific query

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Filter

The oData v3.0 filter statement. Controls which objects are returned.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Top

The maximum number of records to return.

Type:Int32
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False