Last active
January 31, 2022 21:01
-
-
Save merill/379c76c3fa4b6c003207ede4f9a5406d to your computer and use it in GitHub Desktop.
Gets a list of sign-ins that use older versions of TLS. This can be queried using either PowerShell or by querying log analytics. Learn more about AAD TLS deprecation today https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/enable-support-tls-environment?tabs=azure-monitor#overview-of-new-telemetry-in-the-sign-in-logs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Interactive sign-ins only | |
SigninLogs | |
| where AuthenticationProcessingDetails has "Legacy TLS" | |
and AuthenticationProcessingDetails has "True" | |
| extend JsonAuthProcDetails = parse_json(AuthenticationProcessingDetails) | |
| mv-apply JsonAuthProcDetails on ( | |
where JsonAuthProcDetails.key startswith "Legacy TLS" | |
| project HasLegacyTls=JsonAuthProcDetails.value | |
) | |
| where HasLegacyTls == true | |
// Non-interactive sign-ins | |
AADNonInteractiveUserSignInLogs | |
| where AuthenticationProcessingDetails has "Legacy TLS" | |
and AuthenticationProcessingDetails has "True" | |
| extend JsonAuthProcDetails = parse_json(AuthenticationProcessingDetails) | |
| mv-apply JsonAuthProcDetails on ( | |
where JsonAuthProcDetails.key startswith "Legacy TLS" | |
| project HasLegacyTls=JsonAuthProcDetails.value | |
) | |
| where HasLegacyTls == true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Pre-requisites | |
# Install-Module Microsoft.Graph | |
$tId = "nnnnn" #tenant ID | |
$agoDays = 4 #will filter the log for $agoDays from current date/time | |
$startDate = (Get-Date).AddDays(-($agoDays)).ToString('yyyy-MM-dd') #calculate start date for filter | |
$pathForExport = "./" #path to local filesystem for export of CSV file | |
Connect-MgGraph -TenantId $tId -Scopes "AuditLog.Read.All" #could also use Directory.Read.All | |
Select-MgProfile "beta" #Low TLS available in MS Graph preview endpoint | |
$signInsInteractive = Get-MgAuditLogSignIn -Filter "createdDateTime ge $startDate and (authenticationProcessingDetails/any(x:x/key eq 'legacy tls (tls 1.0, 1.1, 3des)' and x/value eq '1'))" -All | |
$signInsNonInteractive = Get-MgAuditLogSignIn -Filter "createdDateTime ge $startDate and signInEventTypes/any(t: t eq 'nonInteractiveUser') and (authenticationProcessingDetails/any(x:x/key eq 'legacy tls (tls 1.0, 1.1, 3des)' and x/value eq '1'))" -All | |
$signInsInteractive | Foreach-Object { | |
foreach ($authDetail in $_.AuthenticationProcessingDetails) | |
{ | |
if(($authDetail.Key -match "Legacy TLS") -and ($authDetail.Value -eq "True")){ | |
$_ | select CorrelationId, createdDateTime, userPrincipalName, userId, UserDisplayName, AppDisplayName, AppId, IPAddress, isInteractive, ResourceDisplayName, ResourceId | |
} | |
} | |
} | Export-Csv -NoTypeInformation -Path ($pathForExport + "Interactive_lowTls_$tId.csv") | |
$signInsNonInteractive | Foreach-Object { | |
foreach ($authDetail in $_.AuthenticationProcessingDetails) | |
{ | |
if(($authDetail.Key -match "Legacy TLS") -and ($authDetail.Value -eq "True")){ | |
$_ | select CorrelationId, createdDateTime, userPrincipalName, userId, UserDisplayName, AppDisplayName, AppId, IPAddress, isInteractive, ResourceDisplayName, ResourceId | |
} | |
} | |
} | Export-Csv -NoTypeInformation -Path ($pathForExport + "NonInteractive_lowTls_$tId.csv") |
Try updating the Graph module to the latest version and restarting the PowerShell session.
Update-Module Microsoft.Graph
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Any idea why I'd get an Get-MgAuditLogSignIn Get-MgAuditLogSignIn_List: Method not found
Here's a debug view of it. Not sure if I don't have a pre-req or am missing a step.
Running latest Powershell 7.2 and VSCode.
Love that you shared this here (and on Twitter, thanks)!