SignInRiskChecker is a PowerShell tool designed to investigate user activity in Microsoft Graph and determine if any users are at risk based on their sign-in logs and associated devices. If you don't use intune, with assigned devices to users in 365, this script is probably not for you.
We assume that any login that isn't associated to the assigned device is a risk, and any sign in associated with a device is not a risk.
- PowerShell 7 or later
- Microsoft.Graph PowerShell module
The tool requires the following Microsoft Graph permissions:
- AuditLog.Read.All
- openid
- profile
- User.Read
- User.ReadWrite.All
- Group.ReadWrite.All
- Directory.ReadWrite.All
-
Install the Microsoft.Graph PowerShell module if you haven't already:
Install-Module Microsoft.Graph -Scope CurrentUser
-
Clone the repository:
git clone https://github.com/yourusername/SignInRiskChecker.git cd SignInRiskChecker -
Open the
SignInRiskChecker.ps1script in a text editor to customize the$usersToInvestigatearray with the user display names you want to investigate.
-
Open a PowerShell terminal.
-
Run the script:
.\SignInRiskChecker.ps1
-
The script will:
- Connect to Microsoft Graph using device code authentication.
- Iterate through the users specified in the
$usersToInvestigatearray. - Check for Windows devices that were signed in within the last 7 days.
- Retrieve sign-in logs and determine if any sign-ins were made from devices other than the user's most recent Windows device.
- Mark users as "At Risk" if any such sign-ins are found.
- Output the status of each user.