User last activity

Find information about the user last activity, including: when the account was created, last time user signs-in (sign-in activity) and last time they reset their password.

Prerequisites

Before you start make sure you have configured the following:
  1. Create a tenant

To get the user's properties, sign-in to the Microsoft Entra admin center and browse to Identity > Users > All users. Then, search and select the user you want to get the properties.

On the User page, select the Properties tab and check the relevant properties, like Created date time and Last password change date time. Note, user sign-in activity currently available only via Microsoft Graph or PowerShell. You can also check the sign-in log.

Dependencies

This script is self-contained.

1. Get user last activity

To get a user's last activity get a user using the following Microsoft Graph. Replace the {user-id} with the user ID.
 
GET https://graph.microsoft.com/v1.0/users/{user-id}?$select=displayName,createdDateTime,lastPasswordChangeDateTime,signInActivity
Connect-MgGraph -Scopes "User.Read.All AuditLog.Read.All"
Get-MgUser -UserId {user-id} -Property "displayName,CreatedDateTime,lastPasswordChangeDateTime,signInActivity"


GET https://graph.microsoft.com/v1.0/users/11111111-0000-0000-0000-000000000000?$select=displayName,createdDateTime,lastPasswordChangeDateTime,signInActivity
Get-MgUser -UserId 11111111-0000-0000-0000-000000000000 -Property "displayName,CreatedDateTime,lastPasswordChangeDateTime,signInActivity"

2. Investigate user last activity

From the response, check the:
  • createdDateTime - The date and time the user was created. The value cannot be modified and is automatically populated when the user is created.
  • lastPasswordChangeDateTime - The time when the user last changed their password.
  • signInActivity - Provides the last interactive or non-interactive sign-in attempt time for a specific user.
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(displayName,createdDateTime,lastPasswordChangeDateTime,signInActivity)/$entity",
    "displayName": "Nicholas",
    "createdDateTime": "2024-07-22T17:59:47Z",
    "lastPasswordChangeDateTime": "2024-07-22T17:59:47Z",
    "id": "11111111-0000-0000-0000-000000000000",
    "signInActivity": {
        "lastSignInDateTime": "2024-07-22T17:59:53Z",
        "lastSignInRequestId": "9c8146c5-8cbc-419c-b34b-47a3579c0000",
        "lastNonInteractiveSignInDateTime": null,
        "lastNonInteractiveSignInRequestId": null,
        "lastSuccessfulSignInDateTime": "2024-07-22T17:59:53Z",
        "lastSuccessfulSignInRequestId": "9c8146c5-8cbc-419c-b34b-47a3579c0000"
    }
}
Loading...
Comming soon