Cloud Knowledge

Your Go-To Hub for Cloud Solutions & Insights

Advertisement
Azure Cloud

Generate Azure Entra ID reports via Microsoft Graph API & PowerShell — logs, access reviews & conditional access.

Shivam Tiwari 0

How to Get Reports from Microsoft Graph API & PowerShell in Azure Entra ID

Learn step-by-step how to retrieve audit logs, sign-in logs, access reviews, group details, administrator changes, disabled users, and conditional access reports using Microsoft Graph API and PowerShell. Perfect for identity admins automating Azure Entra ID reporting.

Azure Entra ID audit and sign-in reports dashboard
Azure Entra ID audit and sign-in dashboard (illustration)

Table of Contents

Why Use Microsoft Graph API & PowerShell for Reports?

Using Microsoft Graph API or Graph PowerShell allows administrators to automate reporting, integrate with SIEM tools, and create compliance-ready exports. These APIs consolidate auditLogs, signIns, and identityGovernance data under a unified schema. (Microsoft Docs)

Prerequisites & Permissions

  • App Registration: Create a service principal for app-only auth or sign in with an admin account.
  • Permissions: AuditLog.Read.All, Reports.Read.All, Directory.Read.All.
  • Licensing: Sign-in log APIs require Entra ID P1 or P2.
  • PowerShell Modules: Install Microsoft.Graph module.

Directory Audit Logs

Directory Audit Logs show every configuration or membership change. Query them via /auditLogs/directoryAudits.

GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=activityDateTime ge 2025-10-01T00:00:00Z
# PowerShell Example
Connect-MgGraph -Scopes "AuditLog.Read.All","Directory.Read.All"
Get-MgAuditLogDirectoryAudit -All | Export-Csv .\DirectoryAudits.csv -NoTypeInformation
Directory Audit Log export using Graph API
Directory Audit Log export using Graph API

Sign-in Logs

Sign-in logs record user authentication events, MFA results, and Conditional Access status. (Docs)

GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime ge 2025-10-07T00:00:00Z
# PowerShell
$start = (Get-Date).AddDays(-7).ToUniversalTime().ToString("o")
Get-MgAuditLogSignIn -Filter "createdDateTime ge $start" -All |
 Export-Csv .\SignIns.csv -NoTypeInformation
Azure AD Sign-in Logs dashboard sample
Azure Entra Sign-in Logs via Graph API

Access Reviews (Identity Governance)

GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions
GET https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/instances/{id}/decisions

Access Reviews ensure least-privilege by certifying group and role memberships. These APIs require Entra ID P2. (Docs)

Group Details & Membership Audits

GET https://graph.microsoft.com/v1.0/groups
GET https://graph.microsoft.com/v1.0/groups/{groupId}/members

Administrator Details & Role Changes

GET https://graph.microsoft.com/v1.0/directoryRoles
GET https://graph.microsoft.com/v1.0/directoryRoles/{roleId}/members

Disabled / Inactive Users Report

GET https://graph.microsoft.com/v1.0/users?$filter=accountEnabled eq false
GET https://graph.microsoft.com/beta/users?$filter=signInActivity/lastSignInDateTime lt 2025-01-01T00:00:00Z

Conditional Access Policies & Evaluation Reports

GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies

Each sign-in record includes conditionalAccessStatus and applied policy IDs — join this with CA policy metadata to generate enforcement dashboards. (Docs)

End-to-End PowerShell Export Example

Connect-MgGraph -Scopes "AuditLog.Read.All","Reports.Read.All","Directory.Read.All"
$start = (Get-Date).AddDays(-7).ToUniversalTime().ToString("o")

# Sign-ins
$signins = Get-MgAuditLogSignIn -Filter "createdDateTime ge $start" -All
$signins | Export-Csv .\SignIns.csv -NoTypeInformation

# Group membership changes
$audits = Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Add member to group'" -All
$audits | Export-Csv .\GroupAudit.csv -NoTypeInformation

Best Practices & Observability

  • Retention: Export logs to Log Analytics for 90+ days retention.
  • Paging: Handle @odata.nextLink and HTTP 429 throttling.
  • Security: Store exports in RBAC-protected Storage Accounts.
  • Automation: Schedule reports with Logic Apps or Runbooks.

Conclusion & Next Steps

With Microsoft Graph API and PowerShell, you can build a complete Azure Entra reporting pipeline — covering audit logs, sign-ins, access reviews, groups, and conditional access data for security and compliance visibility.

Written by Cloud Knowledge – Your trusted source for Cloud IAM automation and Azure Entra deep dives.

Related Story

Leave a Reply

Your email address will not be published. Required fields are marked *