Update: Dec 20 2018. See this post that details the changes to the Azure AD Reports and Events Rest API.
Hybrid Reporting is a great little feature of Microsoft Identity Manager. A small agent installed on the MIM Sync Server will send reporting data to Azure for MIM SSPR and MIM Group activities. See how to install and configure it here.
But what if you want to get the reporting data without going to the Azure Portal and looking at the Audit Reports ? Enter the Azure AD Reports and Events REST API that is currently in preview. It took me a couple of cracks and getting this working, because documentation is a little vague especially when accessing it via PowerShell and oAuth2. So I’ve written it up and hope it helps for anyone else looking to go down this route.
Accessing the Reports via the API has a couple of caveats that I had to work through:
"Name": "mimSsgmGroupActivityEvents", "Name": "mimSsprActivityEvents", "Name": "mimSsprRegistrationActivityEvents",
Here is the full list of Reports available as of 24 May 2017.
{ "Name": "b2cAuthenticationCountSummary", "LicenseRequired": "False" } { "Name": "b2cMfaRequestCount", "LicenseRequired": "False" } { "Name": "b2cMfaRequestEvent", "LicenseRequired": "False" } { "Name": "b2cAuthenticationEvent", "LicenseRequired": "False" } { "Name": "b2cAuthenticationCount", "LicenseRequired": "False" } { "Name": "b2cMfaRequestCountSummary", "LicenseRequired": "False" } { "Name": "tenantUserCount", "LicenseRequired": "False" } { "Name": "applicationUsageDetailEvents", "LicenseRequired": "False" } { "Name": "applicationUsageSummaryEvents", "LicenseRequired": "True" } { "Name": "b2cUserJourneySummaryEvents", "LicenseRequired": "False" } { "Name": "b2cUserJourneyEvents", "LicenseRequired": "False" } { "Name": "cloudAppDiscoveryEvents", "LicenseRequired": "False" } { "Name": "mimSsgmGroupActivityEvents", "LicenseRequired": "True" } { "Name": "ssgmGroupActivityEvents", "LicenseRequired": "True" } { "Name": "mimSsprActivityEvents", "LicenseRequired": "True" } { "Name": "ssprActivityEvents", "LicenseRequired": "True" } { "Name": "mimSsprRegistrationActivityEvents", "LicenseRequired": "True" } { "Name": "ssprRegistrationActivityEvents", "LicenseRequired": "True" } { "Name": "threatenedCredentials", "LicenseRequired": "False" } { "Name": "compromisedCredentials", "LicenseRequired": "False" } { "Name": "auditEvents", "LicenseRequired": "False" } { "Name": "accountProvisioningEvents", "LicenseRequired": "False" } { "Name": "signInsFromUnknownSourcesEvents", "LicenseRequired": "False" } { "Name": "signInsFromIPAddressesWithSuspiciousActivityEvents", "LicenseRequired": "True" } { "Name": "signInsFromMultipleGeographiesEvents", "LicenseRequired": "False" } { "Name": "signInsFromPossiblyInfectedDevicesEvents", "LicenseRequired": "True" } { "Name": "irregularSignInActivityEvents", "LicenseRequired": "True" } { "Name": "allUsersWithAnomalousSignInActivityEvents", "LicenseRequired": "True" } { "Name": "signInsAfterMultipleFailuresEvents", "LicenseRequired": "False" } { "Name": "applicationUsageSummary", "LicenseRequired": "True" } { "Name": "userActivitySummary", "LicenseRequired": "False" } { "Name": "groupActivitySummary", "LicenseRequired": "True" }
What you need to do is;
In the Azure Portal create a new Web app/API app and assign it https://localhost as the Reply URL. Record the Application ID for use in the PowerShell script.
Assign the Read Directory data permission as shown below
Obtain a key from the Keys option on your new Web App. Record it for use in the PowerShell script.
Update the following script, changing Lines 5 & 6 for the ApplicationID/ClientId and Client Secret for the WebApp you created above.
Run the script and you will be prompted to authenticate. Use an account in the tenant where you created the Web App that is a Global Admin or in the Security Admin or Security Reader Azure Roles. You will need to change the location where you want the refresh.token stored (line 18).
If you’ve done everything correctly you have authenticated, got an AuthCode which was then used to get your Authorization Tokens. The value of the $Authorization variable should look similar to this;
Now you can use the Refresh token to generate new Authorization Tokens when they time out, simply by calling the Get-NewTokens function included in the script above.
Now that you have the necessary prerequisites sorted you can query the Reporting API.
Here are a couple of simple queries to return some data to get you started. Update the script for the tenant name of your AzureAD. With the $Authorization values from the script above you can get data for the MIM Hybrid Reports.
A few weeks back the Microsoft AI Tour was in Sydney Australia. There was a…
If you're anything like me you always have PowerShell open, and often both PowerShell and…
Decentralised Identity is a technology I'm passionate about and have written many posts and tools…
Over two years ago I authored a PowerShell Module that enabled the automation of 1Password.…
Buried in my PowerShell Snippets Vol 4 post from 2021 is the PowerShell script and…
Short post on how to recovery from "The Windows Subsystem for Linux instance has terminated"…
This website uses cookies.
View Comments