Entra / Microsoft 365 · Devices

Find devices from sign-in log

Use Entra ID sign-in logs to identify registered devices in use and correlate them with user accounts.

Connect & set up

Run these once per session. All scopes are read-only unless the script makes changes.

Connect-MgGraph -NoWelcome -Scopes Directory.Read.All

Run it

The main script. Copy it, or download the .ps1 and run it from your console.

Connect-MgGraph -NoWelcome -Scopes 	Directory.Read.All
 
# File downloaded from Entra admin center with non-interactive sign ins
# needs to be edited to remove the incoming token type column first
$InputDataFile = "c:\users\tonyr\downloads\SignInData.csv"
 
Write-Host "Loading data"
[array]$Data =  Import-Csv $InputDataFile | Sort-Object {$_.'Date (UTC)' -as [datetime]} -Descending
# Retrieve devices found in sign in logs
[array]$FoundDevices = $Data | Sort-Object 'Device ID' -Unique
$FoundDevices = $FoundDevices | Where-Object {($_.'Device ID' -ne "{PII Removed}")}  | Select-Object -ExpandProperty 'Device ID'
# Retrieve known devices
[array]$KnownDevices = Get-MgDevice -All
 
Write-Host "Generating report"
$Report = [System.Collections.Generic.List[Object]]::new()
ForEach ($Device in $FoundDevices) {
    If (!([string]::IsNullOrWhiteSpace($Device))) {
        $DeviceDetails = $KnownDevices | Where-Object {$_.DeviceId -eq $Device}
        $DataDetails = $Data | Where-Object {$_.'Device ID' -eq $Device} | Select-Object -First 1
        $RegisteredOwnerId = $null; $RegisteredOwner = $null
        $RegisteredOwnerId = Get-MgDeviceRegisteredOwner -DeviceId $DeviceDetails.Id | Select-Object -ExpandProperty Id
        $RegisteredOwner = Get-MgUser -UserId $RegisteredOwnerId -ErrorAction SilentlyContinue
        $SignInDate = Get-Date $DataDetails.'Date (UTC)' -format 'dd-MMM-yyyy HH:mm'
        $RegisteredDate = Get-Date $DeviceDetails.RegistrationDateTime -format 'dd-MMM-yyyy HH:mm'
        $ReportLine = [PSCustomObject][Ordered]@{
            SignIn              = $SignInDate
            Device              = $Device
            'Device name'       = $DeviceDetails.displayName
            Id                  = $DeviceDetails.Id
            OS                  = $DeviceDetails.OperatingSystem
            Version             = $DeviceDetails.OperatingSystemVersion
            Registered          = $RegisteredDate
            'Registered owner'  = $RegisteredOwner.UserPrincipalName
            'User agent'        = $DataDetails.'User agent'
            'User signing in'   = $DataDetails.User
            'User sign in UPN'  = $DataDetails.userName
            Resource            = $DataDetails.Resource
            ClientApp           = $DataDetails.'Client App'
            }
        $Report.Add($ReportLine)
        }
}
 
$Report | Out-GridView
 
[array]$UnusedDevices = $KnownDevices | Where-Object {$_.Id -notin $FoundDevices} | Sort-Object DisplayName
 
Write-Host ""
Write-Host "The following devices cannot be found in a sign-in log"
Write-Host "------------------------------------------------------"
 
$UnusedDevices | Format-Table Id, DisplayName, OperatingSystem, RegistrationDateTime

Attribution

Author

Office365itpros

Source

https://github.com/12Knocksinna/Office365itpros

Find devices from sign-in log

Connect & set up

Run it

Add contacts to mailboxes

Add owners to apps

Add Teams to group expiration policy