EXPLORE
Sign In
← Back to Explore
kqlHunting

Most Recent Sign-in time for users in the last 30 days

Note this will not work if the user has no sign-in at ALL in the last 30 days. For reporting on last sign-ins for all users regardless of timewindow I would check out https://o365reports.com/2023/06/21/microsoft-365-inactive-user-report-ms-graph-powershell/

Detection Query

//Note this will not work if the user has no sign-in at ALL in the last 30 days. For reporting on last sign-ins for all users regardless of timewindow I would check out https://o365reports.com/2023/06/21/microsoft-365-inactive-user-report-ms-graph-powershell/
SigninLogs
| where TimeGenerated > ago(30d)
| where ResultType == "0" //Successes only
| summarize arg_max(TimeGenerated,UserPrincipalName) by UserPrincipalName //Get Latest Time i.e. Maximize TimeGenerated

Data Sources

SigninLogs

Platforms

azure-ad

Tags

entra
Raw Content
//Note this will not work if the user has no sign-in at ALL in the last 30 days. For reporting on last sign-ins for all users regardless of timewindow I would check out https://o365reports.com/2023/06/21/microsoft-365-inactive-user-report-ms-graph-powershell/
SigninLogs
| where TimeGenerated > ago(30d)
| where ResultType == "0" //Successes only
| summarize arg_max(TimeGenerated,UserPrincipalName) by UserPrincipalName //Get Latest Time i.e. Maximize TimeGenerated