Query Details
Legacy Auth Signin
Query
//Sign in Legacy authentication Azure AD SigninLogs | where TimeGenerated > ago(2d) | where not(ClientAppUsed has "Mobile Apps and Desktop clients") | where not(ClientAppUsed has "Browser") | where (ClientAppUsed has "Exchange Web Services") | summarize arg_max(TimeGenerated,*) by UserPrincipalName
Explanation
This query is looking at sign-in logs in Azure AD for the past 2 days. It filters out sign-ins from mobile apps, desktop clients, and browsers. It then looks for sign-ins using Exchange Web Services and summarizes the latest sign-in for each user by their UserPrincipalName.
Details
Rod Trent
Released: July 16, 2021
Tables
SigninLogs
Keywords
SigninLogs,TimeGenerated,ClientAppUsed,MobileAppsandDesktopclients,Browser,ExchangeWebServices,UserPrincipalName
Operators
wherenothasagosummarizearg_maxby