Get-AzureADAuditDirectoryLogs
Get directory audit logs
Syntax
Get-AzureADAuditDirectoryLogs
[-All <Boolean>]
[-Top <Int32>]
[-Filter <String>]
[<CommonParameters>] Description
The Get-AzureADAuditDirectoryLogs cmdlet gets an Azure Active Directory audit log.
Examples
Example 1: Get audit logs after a certain date
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "activityDateTime gt 2019-03-20"This command gets all audit logs on or after 3/20/2019
Example 2: Get audit logs initiated by a user or application
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "initiatedBy/user/userPrincipalName eq 'JNiyomugabo@Contoso.com'"
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "initiatedBy/user/displayName eq 'Jean Niyomugabo'"
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "initiatedBy/app/appId eq 'de8bc8b5-d9f9-48b1-a8ad-b748da725064'"
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "initiatedBy/app/displayName eq 'myApp'"These commands are different ways to get all audit logs for a certain user or application
Example 3: Get audit logs containing a given target resource
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "targetResources/any(tr:tr/displayName eq 'Active Directory Example')"
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "targetResources/any(tr:tr/type eq 'ServicePrincipal')"These commands show how to get audit logs by target resource display name or type
Example 4: Get all audit logs with a given result
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "result eq 'success'"
PS C:\>Get-AzureADAuditDirectoryLogs -Filter "result eq 'failure'" -All $trueThese commands show how to get audit logs by result
Parameters
-All
Boolean to express that return all results from the server for the specific query
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Filter
The oData v3.0 filter statement. Controls which objects are returned.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Top
The maximum number of records to return.
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |