CODEWITHSUNDEEP
azureazure-active-directory
Vel
Vel

Reputation: 75

Get-AzureADAuditDirectoryLogs Find users who updated there phone number

I need to find all users who changed there phone number on AzureAd. I was hoping I could find that information on Get-AzureAdAuditDirectoryLogs but I am not able to find anything. 

Get-AzureADAuditDirectoryLogs -All $true -Filter "activityDateTime le 2019-12-18 and Category eq 'UserManagement' and OperationType eq 'Update' and ActivityDisplayName eq 'Update user'"

My question is. Where and how can I find when a users has added or updated a field on there account?

Upvotes: 0

Views: 2744

Answers (1)

Joy Wang
Joy Wang

Reputation: 42133

Per my test, your command should work.

Get-AzureADAuditDirectoryLogs -All $true -Filter "activityDateTime le 2020-01-04 and Category eq 'UserManagement' and OperationType eq 'Update' and ActivityDisplayName eq 'Update user'"

enter image description here

but I am not able to find anything

The reason that I can find maybe the activityDateTime le 2019-12-18, le means less than or equal to, so the max value is 2019-12-18 00:00:00, if the activity happened in e.g. 2019-12-18 01:17:12, then it will not be returned in the result, you need to use activityDateTime le 2019-12-19.

Update:

If you want to export the new phone numbers to csv file, try the script below.

Note: When use the query above, it will also include the other user update information, like JobTitle, Department, etc. So we need to exclude them in the script, and there are Office phone(TelephoneNumber) and Mobile phone(Mobile) in Azure AD user properties, in my sample, they are both included. You can also modify this line if($log.TargetResources.ModifiedProperties.NewValue[1].Trim(""",""") -eq 'Mobile' -or $log.TargetResources.ModifiedProperties.NewValue[1].Trim(""",""") -eq 'TelephoneNumber') in the script to meet your own requirement.

enter image description here

$users = @()
$logs = Get-AzureADAuditDirectoryLogs -All $true -Filter "activityDateTime le 2020-01-07 and Category eq 'UserManagement' and OperationType eq 'Update' and ActivityDisplayName eq 'Update user'"
foreach($log in $logs){
    if($log.TargetResources.ModifiedProperties.NewValue[1].Trim(""",""") -eq 'Mobile' -or $log.TargetResources.ModifiedProperties.NewValue[1].Trim(""",""") -eq 'TelephoneNumber'){
            $obj = [PSCustomObject]@{
            UserPrincipalName = $log.TargetResources.UserPrincipalName
            Phone = $log.TargetResources.ModifiedProperties.NewValue[0].Trim("["",""]")
            }
        $users += $obj
    }
}
$users | Export-Csv -Path C:\Users\joyw\Desktop\phone.csv -NoTypeInformation

The csv file will be like below, including the UserPrincipalName and its new phone number.

enter image description here

Upvotes: 1

Related Questions