sigin logs for the users.

Question

sigin logs for the users.

Glenn Maxwell 13,761

Hi All,

I have a test environment with approximately 200 Microsoft 365 E5 licenses and Microsoft Copilot licenses.

Our environment is Exchange Hybrid. Users are created as remote mailboxes on-premises or are created on-premises and later migrated to Exchange Online. Licensing is assigned through group-based licensing, where users are added to an on-premises Active Directory group that syncs to Entra ID, and licenses are assigned based on group membership.

I frequently receive requests to assign E5 and Copilot licenses. Since the number of available licenses is limited, I currently review user sign-in activity manually in Entra ID and identify users who have not signed in during the last 30 days. I then remove those users from the licensing group and reassign the licenses to new users.

At present, I check both:

User Sign-ins (Interactive)
User Sign-ins (Non-Interactive)

My requirements are:

Import users from csv file(i have the users list in csv file, exported from onprem AD group)
Obtain their last Interactive Sign-in date from Entraid.
Obtain their last Non-Interactive Sign-in date from Entraid.
Include the user creation date (or account creation date) in the output.
Export the results to a CSV file.
Identify users who have not signed in during the last 30 days so that their licenses can be reclaimed.

What would be the best approach using Microsoft Graph PowerShell or Entra PowerShell?

If anyone has a PowerShell script or example that can retrieve this information and export it to CSV, I would appreciate your guidance.

Shubham Sharma 17,675 Microsoft External Staff Moderator

Hey Glenn, you can tackle this with either Microsoft Graph PowerShell (beta profile) or the new Entra PowerShell cmdlet. Here are two sample approaches:

Microsoft Graph PowerShell (beta) This script reads your on-prem AD CSV, grabs each user’s createdDateTime plus interactive/non-interactive sign-ins, and flags anyone inactive for 30+ days:


   # 1. Switch to Graph beta (for signInActivity)

   Select-MgProfile -Name Beta

   # 2. Connect with directory read permissions

   Connect-MgGraph -Scopes User.Read.All, AuditLog.Read.All

   # 3. Compute cutoff

   $cutoff = (Get-Date).AddDays(-30).ToUniversalTime()

   # 4. Import your CSV (assumes a column "UserPrincipalName")

   $users = Import-Csv 'onprem-users.csv'

   # 5. Retrieve and build report

   $report = foreach ($u in $users) {

     $user = Get-MgUser -UserId $u.UserPrincipalName `

       -Property createdDateTime,signInActivity `

       -ErrorAction SilentlyContinue

     if ($null -ne $user) {

       [PSCustomObject]@{

         DisplayName               = $user.DisplayName

         UserPrincipalName         = $user.UserPrincipalName

         CreatedDateTime           = $user.CreatedDateTime

         LastInteractiveSignIn     = $user.SignInActivity.lastSignInDateTime

         LastNonInteractiveSignIn  = $user.SignInActivity.lastNonInteractiveSignInDateTime

         Inactive30Days            = (

           ($user.SignInActivity.lastSignInDateTime -lt $cutoff) -and

           ($user.SignInActivity.lastNonInteractiveSignInDateTime -lt $cutoff)

         )

       }

     }

   }

   # 6. Export full report or just inactive users

   $report | Export-Csv 'UserSignInReport.csv' -NoTypeInformation

   # For only inactive users:

   $report | Where-Object Inactive30Days | Export-Csv 'InactiveUsers.csv' -NoTypeInformation

Entra PowerShell (single-cmdlet) The Microsoft.Entra.Users module brings Get-EntraUserInactiveSignIn, which returns users with no interactive sign-in in the last N days – and also surfaces non-interactive sign-ins and creation time. You can target your CSV list like this:


   # 1. Install/Import module and connect

   Install-Module Microsoft.Entra.Users -Force

   Connect-Entra -Scopes User.Read.All, AuditLog.Read.All

   # 2. Import CSV and retrieve inactivity info

   $users = Import-Csv 'onprem-users.csv'

   $combined = foreach ($u in $users) {

     Get-EntraUserInactiveSignIn -UserId $u.UserPrincipalName -Ago 30 -All

   }

   # 3. Export

   $combined | Select-Object DisplayName, UserPrincipalName, CreatedDateTime,

     LastSignInDateTime, LastNonInteractiveSignInDateTime |

     Export-Csv 'InactiveUsers_EntraPS.csv' -NoTypeInformation

Both approaches give you:

User creation date
Last interactive and non-interactive sign-in
A CSV you can hand off to your licensing team

Hope that helps you automate reclaiming those stale E5/Copilot seats!

References:

https://learn.microsoft.com/powershell/module/microsoft.entra.users/get-entrauserinactivesignin?view=entra-powershell

https://learn.microsoft.com/graph/api/resources/signinactivity?view=graph-rest-1.0#properties

https://learn.microsoft.com/graph/api/user-list?view=graph-rest-1.0#example-11-get-users-including-their-last-sign-in-time

1 answer

Your answer

Answer 1

Use Microsoft Graph PowerShell to pull sign-in activity and account properties, then filter and export. Entra PowerShell also exposes sign-in activity per user, but Graph is better suited for bulk/reporting.

Below is an outline that matches the requirements, using the patterns from the documented examples.

1. Prerequisites

Install and import Microsoft Graph PowerShell:

   Install-Module Microsoft.Graph -Scope CurrentUser
   Import-Module Microsoft.Graph

Connect with the right permissions (audit + users):

   Connect-MgGraph -Scopes "AuditLog.Read.All","User.Read.All"

2. Input: users from CSV

Assume the CSV from on-prem AD group has a column UserPrincipalName (adjust if different):

$users = Import-Csv -Path "C:\temp\groupUsers.csv"

The documented Entra PowerShell example shows how to retrieve sign-in activity for a single user and expand the SignInActivity property:

Connect-Entra -Scopes 'User.Read.All','AuditLog.Read.All'
Get-EntraUser -UserId '******@contoso.com' -Property 'SignInActivity' | 
  Select-Object -Property Id, DisplayName, UserPrincipalName -ExpandProperty 'SignInActivity'

Using the same pattern, loop through the CSV list and collect:

Last interactive sign-in
Last non-interactive sign-in
Account creation date

Example using Entra PowerShell cmdlets:

Connect-Entra -Scopes 'User.Read.All','AuditLog.Read.All'

$results = foreach ($u in $users) {
    $upn = $u.UserPrincipalName

    # Get user with sign-in activity and creation date
    $user = Get-EntraUser -UserId $upn -Property 'SignInActivity','CreatedDateTime'

    if (-not $user) { continue }

    $signIn = $user.SignInActivity

    [PSCustomObject]@{
        Id                          = $user.Id
        DisplayName                 = $user.DisplayName
        UserPrincipalName           = $user.UserPrincipalName
        CreatedDateTime             = $user.CreatedDateTime
        LastInteractiveSignInDate   = $signIn.LastSignInDateTime
        LastNonInteractiveSignInDate= $signIn.LastNonInteractiveSignInDateTime
    }
}

This follows the documented pattern of expanding SignInActivity and selecting user properties.

4. Filter users inactive for 30 days

Once the data is in $results, calculate inactivity based on the most recent sign-in (interactive or non-interactive):

$cutoff = (Get-Date).AddDays(-30)

$resultsWithCalc = $results | ForEach-Object {
    $lastInteractive   = $_.LastInteractiveSignInDate
    $lastNonInteractive= $_.LastNonInteractiveSignInDate

    # Determine the most recent sign-in of any type
    $lastAny = $lastInteractive
    if ($lastNonInteractive -and (!$lastAny -or $lastNonInteractive -gt $lastAny)) {
        $lastAny = $lastNonInteractive
    }

    $_ | Add-Member -NotePropertyName LastAnySignInDate -NotePropertyValue $lastAny -Force
    $_
}

$inactive30Days = $resultsWithCalc | Where-Object {
    -not $_.LastAnySignInDate -or $_.LastAnySignInDate -lt $cutoff
}

$inactive30Days now contains users who have not signed in (interactive or non-interactive) in the last 30 days and are candidates for license reclamation.

5. Export to CSV

Export both the full dataset and the inactive subset:

$resultsWithCalc | Export-Csv -Path "C:\temp\AllUsersSignInReport.csv" -NoTypeInformation -Encoding UTF8
$inactive30Days  | Export-Csv -Path "C:\temp\InactiveOver30Days.csv" -NoTypeInformation -Encoding UTF8

6. Optional: use audit logs for deeper analysis

If more detailed sign-in history is needed (for example, to validate specific events), audit and sign-in logs can be queried with Microsoft Graph PowerShell. The monitoring and health documentation shows how to query audit logs using Get-MgAuditLogDirectoryAudit with filters such as category and activity date:

Get-MgAuditLogDirectoryAudit -Filter "activityDateTime gt 2019-04-18"

Similar approaches can be used for sign-in logs when more granular analysis is required.

This approach satisfies:

Import users from CSV.
Retrieve last interactive and non-interactive sign-in dates via SignInActivity.
Include account creation date (CreatedDateTime).
Export to CSV.
Identify users inactive for 30 days for license reclamation.

References:

Share via

sigin logs for the users.

1 answer

1. Prerequisites

2. Input: users from CSV

3. Get last sign-in activity per user

4. Filter users inactive for 30 days

5. Export to CSV

6. Optional: use audit logs for deeper analysis

Your answer