Table of Contents
Track Down Unused Entra ID Registered Devices By Using Entra ID Sign-In Data
At the end of January, I wrote about how to use multiple sources of data to figure out which user accounts use multifactor authentication. The basic idea is to combine information about authentication methods defined for accounts with Entra ID sign-in logs and sign-in activity noted in Entra ID account properties to build a picture of actual multifactor authentication activity.
A reader question asked if the same technique could be used to identify which devices people use for multifactor authentication. The scenario described featured a user with two registered phones but only uses one device. The desire is to review which devices have been used in the last 30 days, possibly with an eye to remove the unused devices.
A Lack of Device Information in Entra ID Sign-In Logs
Unfortunately, Entra ID does not capture device information for a large proportion of its sign-in records. Some of this is deliberate, such as the removal of PII data from sign-ins for guest accounts. In other cases, Entra ID simply fails to capture the device information. After poking around logs for a couple of hours, I can discern no reliable pattern of when Entra ID captures device information and when it doesn’t.
I decided to download the sign-in data from the Entra admin center as a CSV file as described in the original article, and edit the file to remove the first “incoming token type” column. I then imported the file into an array and sorted it to find the unique instances of device identifiers. Finally, I ran the Get-MgDevice cmdlet to retrieve the set of registered devices.
Write-Host "Loading data"
[array]$Data = Import-Csv $InputDataFile | Sort-Object {$_.'Date (UTC)' -as [datetime]} -Descending
# Retrieve devices found in sign in logs
[array]$FoundDevices = $Data | Sort-Object 'Device ID' -Unique
$FoundDevices = $FoundDevices | Where-Object {($_.'Device ID' -ne "{PII Removed}")} | Select-Object -ExpandProperty 'Device ID'
# Retrieve known devices
[array]$KnownDevices = Get-MgDevice -All
Reporting Found Devices
The result is two arrays: one holding the device identifiers for the devices used for sign-ins; the other holding information about registered devices. To create a report, the script loops through the devices used for sign-ins and fetches information about the device and the last time it was used. In both cases, simple lookups against the arrays fetch the information needed for the report. Here’s the code:
$Report = [System.Collections.Generic.List[Object]]::new()
ForEach ($Device in $FoundDevices) {
If (!([string]::IsNullOrWhiteSpace($Device))) {
$DeviceDetails = $KnownDevices | Where-Object {$_.DeviceId -eq $Device}
$DataDetails = $Data | Where-Object {$_.'Device ID' -eq $Device} | Select-Object -First 1
$SignInDate = Get-Date $DataDetails.'Date (UTC)' -format 'dd-MMM-yyyy HH:mm'
$RegisteredDate = Get-Date $DeviceDetails.RegistrationDateTime -format 'dd-MMM-yyyy HH:mm'
$ReportLine = [PSCustomObject][Ordered]@{
SignIn = $SignInDate
Device = $Device
'Device name' = $DeviceDetails.displayName
Id = $DeviceDetails.Id
OS = $DeviceDetails.OperatingSystem
Version = $DeviceDetails.OperatingSystemVersion
Registered = $RegisteredDate
'User agent' = $DataDetails.'User agent'
User = $DataDetails.User
UPN = $DataDetails.userName
Resource = $DataDetails.Resource
ClientApp = $DataDetails.'Client App'
}
$Report.Add($ReportLine)
}
}
The script also checks for the registered owner of the device using the Get-MgDeviceRegisteredOwner cmdlet (see this article for details). To keep things simple, I don’t show that code here.
The output report looks like the data shown in Figure 1.
Now we know which devices have been used for multifactor authentication. Entra ID keeps sign-in data for a maximum of a month, so the generated report covers that period if that date range option is selected when downloading the data from the Entra admin center.
To report the registered devices that aren’t detected using multifactor authentication, the script creates an array by filtering registered devices against the set found in the sign-in data and reports what it finds:
[array]$UnusedDevices = $KnownDevices | Where-Object {$_.Id -notin $FoundDevices} | Sort-Object DisplayName
Write-Host ""
Write-Host "The following devices cannot be found in a sign-in log"
Write-Host "------------------------------------------------------"
$UnusedDevices | Format-Table Id, DisplayName, OperatingSystem, RegistrationDateTime
It’s important to emphasize that the lack of evidence supporting the usage of these devices might be due to Entra ID not noting device information in sign-in records. In other words, the script can only generate evidence based on available data and it will probably take more investigation to determine exactly which devices are in active use. But at least we have a start.
You can download the script from GitHub.
A Partial Answer
It’s disappointing to discover that Entra ID doesn’t log device information for every sign-in record. No doubt good reasons exist why logging doesn’t happen. In any case, some information is available, and the script is a good example of extending an existing idea to cover a different scenario This is only possible when you have a good understanding of how components Entra ID and PowerShell work, but have I said that I know a good book to help with that challenge?
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.