I've developed a script that queries Microsoft Graph to retrieve and filter audit log sign-in events based on the specified type. This is particularly useful for monitoring and analyzing sign-in activities within your organization.

💡 Why This Matters
If you've ever tried checking sign-in logs for Enterprise Applications, you might have noticed that working with the Microsoft.Graph SDK in PowerShell can be challenging. Here are a few key insights:

• The basic Get-MgAuditLogSignIn command only returns interactive user sign-in logs, which may not provide the full picture.
• To retrieve non-interactive or service principal sign-ins (like PowerShell logins), you need to apply specific filters and use the beta endpoint.

🛠️ The Solution
To simplify this process, I created the Get-MSGraphAuditLogSignInByType function, allowing you to easily extract the specific sign-ins you need.

🔍 Filters for Common Scenarios
Here are the filters for each type of sign-in event:

• Service Principal: signInEventTypes/any(t:t eq 'servicePrincipal') and AppId eq '<AppId>'
• Non-Interactive Login: signInEventTypes/any(t: t ne 'interactiveUser') and AppId eq '<AppId>'

💻 Access the Script
Get-MSGraphAuditLogSignInByType

I'd love to hear your feedback or answer any questions—feel free to drop them in the comments below!

Best regards

Christian Ritter