我在Graph筛选空值时遇到问题。总体目标是生成一个非活动报告,以报告上次登录时间超过90天的用户。许可证通过组分配,位于****extensionattribute 15中。脚本如下所示:
# Azure AD Enterprise App for authentication to the 84 tenant
$AppId = "X"
$TenantId = "X"
$AppSecret = 'X'
# Construct URI and body needed for authentication
$uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$body = @{
client_id = $AppId
scope = "https://graph.microsoft.com/.default"
client_secret = $AppSecret
grant_type = "client_credentials" }
# Get OAuth 2.0 Token
$tokenRequest = Invoke-WebRequest -Method Post -Uri $uri -ContentType "application/x-www-form-urlencoded" -Body $body -UseBasicParsing
# Unpack Access Token
$token = ($tokenRequest.Content | ConvertFrom-Json).access_token
# Base URL
$headers = @{Authorization = "Bearer $token"}
# Get User sign in data
Write-Host "Accessing the Graph to get user sign-in data..."
$URI = "https://graph.microsoft.com/beta/users?`$filter=startsWith(extension_1fe7973b28e74213b897d62528e614c7_extensionAttribute15,'E') or startswith(extension_1fe7973b28e74213b897d62528e614c7_extensionAttribute15,'f') or startswith(extension_1fe7973b28e74213b897d62528e614c7_extensionAttribute15,'k')&$select=displayName,userPrincipalName, mail, department, jobTitle, extension_1fe7973b28e74213b897d62528e614c7_extensionAttribute14, extension_1fe7973b28e74213b897d62528e614c7_extensionAttribute15, accountEnabled, signInActivity, UserType, id&`$expand=manager(`$select=displayName,userPrincipalName)&`$top=999"
$SignInData = (Invoke-RestMethod -Uri $URI -Headers $Headers -Method Get -ContentType "application/json")
$Report = [System.Collections.Generic.List[Object]]::new()
Foreach ($User in $SignInData.Value) {
If ($Null -ne $User.SignInActivity) {
$LastSignIn = Get-Date($User.SignInActivity.LastSignInDateTime) -format g
$DaysSinceSignIn = (New-TimeSpan $LastSignIn).Days }
Else { #No sign in data for this user account
$LastSignIn = "Never"
$DaysSinceSignIn = "N/A" }
## Report headers and variables
$ReportLine = [PSCustomObject] @{
UPN = $User.UserPrincipalName
DisplayName = $User.DisplayName
Email = $User.Mail
SignInStatus = $User.accountEnabled
Department = $User.department
AADLastSignIn = $LastSignIn
JobTitle = $User.jobTitle
JobCode = $User.extension_1fe7973b28e74213b897d62528e614c7_extensionAttribute14
License = $User.extension_1fe7973b28e74213b897d62528e614c7_extensionAttribute15
Manager = if($User.manager) { $User.manager.userPrincipalName } Else {$null}
}
$Report.Add($ReportLine)
}
# Check for additional data to obtain
$NextLink = $SignInData.'@Odata.NextLink'
While ($NextLink -ne $Null) { # If so, proceed with processing the additional data.
Write-Host "Still processing..."
$SignInData = Invoke-WebRequest -Method GET -Uri $NextLink -ContentType "application/json" -Headers $Headers
$SignInData = $SignInData | ConvertFrom-JSon
ForEach ($User in $SignInData.Value) {
If ($Null -ne $User.SignInActivity) {
$LastSignIn = Get-Date($User.SignInActivity.LastSignInDateTime) -format g
$DaysSinceSignIn = (New-TimeSpan $LastSignIn).Days }
Else { #No sign in data for this user account
$LastSignIn = "Never"
$DaysSinceSignIn = "N/A" }
$ReportLine = [PSCustomObject] @{
UPN = $User.UserPrincipalName
DisplayName = $User.DisplayName
Email = $User.Mail
SignInStatus = $User.accountEnabled
Department = $User.department
AADLastSignIn = $LastSignIn
JobTitle = $User.jobTitle
JobCode = $User.extension_1fe7973b28e74213b897d62528e614c7_extensionAttribute14
License = $User.extension_1fe7973b28e74213b897d62528e614c7_extensionAttribute15
Manager = if($User.manager) { $User.manager.userPrincipalName } Else {$null}
}
$Report.Add($ReportLine) }
# Check for more data
$NextLink = $SignInData.'@Odata.NextLink'
}
$Report | Sort DisplayName | Out-GridView
脚本输出的用户有许可证,但所有的最后一次登录都是“从不”,而不是他们的实际日期。删除过滤器当然会得到他们的实际最后一次登录日期,但输出的是所有非许可用户和许可用户。
有人对我可以做的任何编辑有任何建议吗,或者有更好的方法来过滤extension 15的非值吗?我不确定过滤$Reportline以下的值是否会更有效。任何帮助都是非常感谢的!!!
2条答案
按热度按时间tcbh2hod1#
还有另一种检测非活动用户的方法:
signInActivity资源类型仅在Microsoft Graph beta终结点上可用,在美国政府GCC高级环境中尚不受支持。
有关详细信息,请访问:https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts#how-to-detect-inactive-user-accounts
8fq7wneg2#
从过去的经验来看,每次我使用这样的东西时都会出现问题
您正在使用的
If ($Null -ne $User.SignInActivity)
。不妨尝试一下
If (-not[string]::IsNullOrEmpty($User.SignInActivity))
变量可以是空字符串,而不是完全为$null的变量
希望我的猜测能帮助你实现你想做的事情