Get-EntraAuditDirectoryLog
Get directory audit logs.
Syntax
Get-EntraAuditDirectoryLog
[-All]
[-Top ]
[-Filter ]
[] Description
The Get-EntraAuditDirectoryLog cmdlet gets a Microsoft Entra ID audit log.
Retrieve audit logs from Microsoft Entra ID, covering logs from various services such as user, app, device, and group management, privileged identity management (PIM), access reviews, terms of use, identity protection, password management (SSPR and admin resets), and self-service group management.
Examples
Example 1: Get all logs
Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All'
Get-EntraAuditDirectoryLog -All
Id ActivityDateTime ActivityDisplayName Category CorrelationId
-- ---------------- ------------------- -------- -------------
Directory_aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 17/07/2024 08:55:34 Add service principal ApplicationManagement aaaa0000-bb11-2222-33cc-444444dddddd
Directory_bbbbbbbb-1111-2222-3333-cccccccccccc 17/07/2024 07:31:54 Update user UserManagement bbbb1111-cc22-3333-44dd-555555eeeeee
SSGM_cccccccc-2222-3333-4444-dddddddddddd 17/07/2024 07:13:08 GroupsODataV4_GetgroupLifecyclePolicies GroupManagement cccc2222-dd33-4444-55ee-666666ffffffThis command gets all audit logs.
Example 2: Get first n logs
Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All'
Get-EntraAuditDirectoryLog -Top 1
Id ActivityDateTime ActivityDisplayName Category CorrelationId LoggedB
yServic
e
-- ---------------- ------------------- -------- ------------- -------
Directory_aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb_8IAPT_617717139 17/07/2024 08:55:34 Add service principal ApplicationManagement aaaa0000-bb11-2222-33cc-444444dddddd Core...This example returns the first N logs.
Example 3: Get audit logs containing a given ActivityDisplayName
Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All'
Get-EntraAuditDirectoryLog -Filter "ActivityDisplayName eq 'Update rollout policy of feature'" -Top 1
Id ActivityDateTime ActivityDisplayName Category CorrelationId
-- ---------------- ------------------- -------- -------------
Application Proxy_aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 16/07/2024 05:13:49 Update rollout policy of feature Authentication aaaa0000-bb11-2222-33cc-444444ddddddThis command shows how to get audit logs by ActivityDisplayName.
Example 4: Get all audit logs with a given result
Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All'
Get-EntraAuditDirectoryLog -Filter "result eq 'failure'" -AllThis command shows how to get audit logs by the result.
Parameters
-All
List all pages.
| Type: | System.Management.Automation.SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Filter
The OData v4.0 filter statement. Controls which objects are returned.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Property
Specifies properties to be returned
| Type: | System.String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Top
The maximum number of records to return.
| Type: | System.Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
Notes
Get-EntraAuditDirectoryLogs is an alias for Get-EntraAuditDirectoryLog.