Microsoft has introduced a new property to identify the last successful sign-in date and time for Microsoft 365 users. This enhancement facilitates the identification of inactive users within your organization, streamlining the process that was historically challenging.
Office 365 Last Login Report – How it Started?
In the past, administrators faced difficulties in identifying inactive users, relying on ‘LastLogonTime‘ from ‘Get-MailboxStatistics.’ However, this approach was not accurate as it only retrieved the last logon time for mailboxes and included background task processing time.
Subsequently, Microsoft introduced ‘LastSignInDateTime‘ in ‘Get-MgUser.’ Despite being an improvement, it included failed login attempts, making it less accurate for identifying stale accounts.
Now, Microsoft has addressed these limitations by introducing the ‘LastSuccessfulSignInDateTime‘ property, offering precise information on users’ last successful sign-in times.
Note: Starting from December 1, 2023, the ‘LastSuccessfulSignInDateTime‘ property is available, encompassing both interactive and non-interactive sign-ins.
Export Microsoft 365 Users’ Last Successful Sign-in Date using PowerShell:
To retrieve the last successful sign-in time, you must install and connect to the Microsoft Graph Beta PowerShell module. The following PowerShell command demonstrates how to obtain this information for a specific user:
(Get-MgBetaUser -UserId <UserId> -Property SigninActivity).SignInActivity.lastSuccessfulSignInDateTime
For exporting the last successful login time for all users, you can utilize the script provided below.
Download Script: M365UsersLastSuccessfulSigninReport.ps1
Script Highlights:
- The single script allows you to generate 10+ different last login reports.
- Provides details about interactive and non-interactive sign-ins separately.
- You can generate reports based on inactive days.
- Generates report for sign-in enabled users alone.
- Supports filtering licensed users alone.
- Finds external users’ last successful sign-in date and time.
- Export results to CSV file.
- The assigned licenses column will show you the user-friendly-name like ‘Office 365 Enterprise E3’ rather than ‘ENTERPRISEPACK’.
- Automatically installs the MS Graph Beta PowerShell module (if not installed already) upon your confirmation.
- The script can be executed with an MFA-enabled account too.
- The script supports Certificate-based Authentication (CBA).
- The script is scheduler-friendly.
Microsoft 365 Users’ Last Successful Sign-in Report – Sample Output:
The exported Office 365 last login report contains the following attributes.
- User Principal Name
- User Creation Date and Time
- Last Successful Sign-in Date and Time
- Inactive Days
- Last Interactive Sign-in Time
- Last Non-interactive Sign-in Time
- Employee Id
- Assigned License Details
- Account Status (i.e., Sign-in Status)
- Department
- Job Title
Microsoft 365 Last Sign-in Report – Script Execution Methods:
You can choose any of the below methods based on your requirement.
Method1: Execute the script with admin account:
Export M365 users’ last successful sign-in activity report using delegated admin account. It supports both MFA and non-MFA accounts.
.\M365LastSuccessfulSigninReport.ps1
Method2: Schedule Microsoft 365 inactive user report using certificates:
When you want to run the script unattended, you can choose this method. To use certificates, you must register the app in Azure AD and connect to MS Graph using certificate.
.\M365LastSuccessfulSigninReport.ps1 TenantId <TenantId> -ClientId <ClientId> -CertificateThumbprint <CertThumbprint>
You can use either a CA certificate or create a self-signed SSL certificate. Most admins prefer self-signed certificates for internal use.
Export Last Successful Sign-in Date Report – Additional Use Cases:
As said earlier, you can generate 10+ last sign-in reports using built-in filtering parameters. You can also combine multiple filtering params to export more granular last login report.
- ExternalUsersOnly – Exports all external users’ last successful sign-in time
.\M365LastSuccessfulSigninReport.ps1 -ExternalUsersOnly
- EnabledUsersOnly – Exports the last successful sign-in date for all the sign-in enabled users.
.\M365LastSuccessfulSigninReport.ps1 -EnabledUsersOnly
- DisabledUsersOnly– Generates the last successful sign-in activity time report for sign-in blocked users.
.\M365LastSuccessfulSigninReport.ps1 -DisabledUsersOnly
- LicensedUsersOnly – Retrieves the last successful log-in time for all the licensed users
.\M365LastSuccessfulSigninReport.ps1 -LicensedUsersOnly
- InactiveDays – Helps to find inactive users based on their inactive days.
.\M365LastSuccessfulSigninReport.ps1 -InactiveDays 90
Note: Since the ‘lastSuccessfulSignInDateTime’ attribute launched on Dec 01, 2023, you will get data for a limited period.
- You can also use multiple filters together to generate more granular last sign-in reports.
.\M365LastSuccessfulSigninReport.ps1 -ExternalUsersOnly –EnabledUsersOnly
The above example will retrieve the last sign-in date for all the sign-in enabled external users.
The introduction of the ‘LastSuccessfulSignInDateTime‘ attribute is a significant improvement for administrators. It simplifies the process of auditing inactive users, providing a more accurate and efficient method.
I hope this blog assists you in effortlessly finding users’ last successful sign-in times during any investigation on inactive users. You can also create a workbook in Entra ID and query Log analytics workspace for enhanced visual representation for sign-in history. Should you have any queries or suggestions for script enhancements, please feel free to reach out to us through the comment section.
