InactiveUsersLast90Days.ps1 - limit of 5000 audit log items #80

joeljeffery · 2020-10-09T08:12:09Z

This script only shows a list of users that have not logged in for 90 days or more if your tenancy happens to have fewer than 5000 matching audit log entries for the following actions over the last 90 days: UserLoggedIn, PasswordLogonInitialAuthUsingPassword, UserLoginFailed.

$loggedOnUsers = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations UserLoggedIn, PasswordLogonInitialAuthUsingPassword, UserLoginFailed -ResultSize 5000

In any reasonably active tenancy, you're going to get mainly false positives.

You need to batch these requests.

The text was updated successfully, but these errors were encountered:

joeljeffery linked a pull request Oct 9, 2020 that will close this issue

Search audit log in batches of 5000 and don't retrieve failed login events #82

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

InactiveUsersLast90Days.ps1 - limit of 5000 audit log items #80

InactiveUsersLast90Days.ps1 - limit of 5000 audit log items #80

joeljeffery commented Oct 9, 2020

InactiveUsersLast90Days.ps1 - limit of 5000 audit log items #80

InactiveUsersLast90Days.ps1 - limit of 5000 audit log items #80

Comments

joeljeffery commented Oct 9, 2020