Query Details
Most Recent Sign In Time For Users In The Last 30 Days
Query
//Note this will not work if the user has no sign-in at ALL in the last 30 days. For reporting on last sign-ins for all users regardless of timewindow I would check out https://o365reports.com/2023/06/21/microsoft-365-inactive-user-report-ms-graph-powershell/ SigninLogs | where TimeGenerated > ago(30d) | where ResultType == "0" //Successes only | summarize arg_max(TimeGenerated,UserPrincipalName) by UserPrincipalName //Get Latest Time i.e. Maximize TimeGenerated
Explanation
This query is designed to retrieve the most recent successful sign-in for each user within the last 30 days. Here's a simple breakdown of what it does:
-
Data Source: It starts by looking at the
SigninLogs, which contains records of user sign-ins. -
Time Filter: It filters the logs to only include sign-ins that occurred in the past 30 days.
-
Success Filter: It further narrows down the results to only include successful sign-ins, indicated by
ResultType == "0". -
Summarization: For each user, identified by
UserPrincipalName, it finds the most recent sign-in time. This is done using thearg_maxfunction, which selects the entry with the maximumTimeGeneratedvalue for each user.
The query will not return any results for users who have not signed in at all in the last 30 days. If you need information on all users regardless of their sign-in activity within this time frame, you might want to explore other reporting options, such as using Microsoft Graph PowerShell as suggested in the comment.
Details
Jay Kerai
Released: February 19, 2025
Tables
Keywords
Operators