$DeviceId = "123456789-1234-1234-1234-123123123123"
Get-AzureAdAuditSigninLogs -top 1 -filter "appdisplayname eq 'Windows Sign In'" | where-object {$_.DeviceDetail.DeviceID -eq $DeviceID} | select-object userdisplayname
As part of a larger script, I am pulling a list of AzureAD device IDs into a foreach loop. I would like to then run the above command to only show me the details of each device that matches that device ID. The problem is that the device id is buried under Device Detail. I would like to add a where-object or something similar to compare $DeviceID to $DeviceDetail.DeviceID but that doesn't work. I know I am missing something simple, but I don't really work with data like this.
Id : 1111111-2223-3333-4444-1234567899
CreatedDateTime : 2023-12-06T14:37:09Z
UserDisplayName : JANE DOE
UserPrincipalName : [email protected]
UserId : 2222222-33333-33333-33333-3333333333
AppId : 2222222-33333-33333-33333-3333333333
AppDisplayName : Windows Sign In
IpAddress : xx.xx.xx.xxx
ClientAppUsed : Mobile Apps and Desktop clients
CorrelationId : 2222222-33333-33333-33333-3333333333
ConditionalAccessStatus : notApplied
OriginalRequestId :
IsInteractive : True
TokenIssuerName :
TokenIssuerType : AzureAD
ProcessingTimeInMilliseconds : 146
RiskDetail : hidden
RiskLevelAggregated : hidden
RiskLevelDuringSignIn : hidden
RiskState : none
RiskEventTypes :
ResourceDisplayName : Windows Azure Active Directory
ResourceId : 00000002-0000-0000-c000-000000000000
AuthenticationMethodsUsed : {}
Status : class SignInStatus {
ErrorCode: 0
FailureReason: Other.
AdditionalDetails:
}
DeviceDetail : class SignInAuditLogObjectDeviceDetail {
DeviceId: 123456789-1234-1234-1234-123123123123
DisplayName: DESKTOP-1234567
OperatingSystem: Windows
Browser:
IsCompliant: True
IsManaged: True
TrustType: Azure AD joined
}
Location : class SignInAuditLogObjectLocation {
City: Springfield
State: Texas
CountryOrRegion: US
}
MfaDetail :
AppliedConditionalAccessPolicies : {}
AuthenticationProcessingDetails : {class AdditionalDetail {
Key: Root Key Type
Value: Unknown
}
}
NetworkLocationDetails : {class SignInAuditLogObjectNetworkLocationDetails {
NetworkType: trustedNamedLocation
NetworkNames: System.Collections.Generic.List`1[System.String]
}
}
On non-nested data I can just reference the data properties using a where-object, but the data I am trying to retrieve is part of an array and thus I can't get Where-object to filter it.
$DeviceId = "123456789-1234-1234-1234-123123123123"
Get-AzureAdAuditSigninLogs -top 1 -filter "appdisplayname eq 'Windows Sign In'" | where-object {$_.DeviceDetail.DeviceID -eq $DeviceID} | select-object userdisplayname
I am not sure but I think it looks like you are working with PowerShell and attempting to filter the output of
Get-AzureAdAuditSigninLogs
based on a nested property (DeviceDetail.DeviceID
). PowerShell'sWhere-Object
cmdlet is indeed the right tool for this task, but you need to ensure that you are referencing the nested property correctly.In your case, the correct reference to the
DeviceID
property within theDeviceDetail
property would be$_.DeviceDetail.DeviceId
(note the lowercase "d" in "DeviceId"). PowerShell is case-sensitive, so it's crucial to use the correct casing for property names.Here's the corrected code:
Make sure that you use
$_.DeviceDetail.DeviceId
instead of$_.DeviceDetail.DeviceID
. If the casing is incorrect, the comparison won't work.This should filter the results based on the specified
$DeviceId
. If you're still facing issues, you might want to examine the output ofGet-AzureAdAuditSigninLogs -Top 1 -Filter "appdisplayname eq 'Windows Sign In'"
to understand the structure of the data you're working with and ensure that the property names are correct.