PowerShell AzureAD odata v3.0 filter

Question

So I am trying to fetch all sign-in logs that fails a particular Conditional Access that have been set in Report-Only mode.

The cmdlet is in preview and is unable to fetch all logs and then filtering using piping and powershell alone, so I am trying to query with a filter instead.

I currently have this query that runs successfully and returns lots of SignIn logs, but the results does not contains CA's with the result of "reportOnlyFailure" so something is wrong:

Get-AzureADAuditSignInLogs -Filter "AppliedConditionalAccessPolicies/any(c:c/id eq 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx' and c/Result eq 'reportOnlyFailure')"

Answer 1

I found your post, because I have the exact same problem.

My Powershell skills are pretty low but I may have found one problem, even if I have no idean how to fix it.

Isn´t the part "and c/Result eq 'reportOnlyFailure'" searching for the result of all ConditionalAccessPolicies and maybe failing because of that?

Whould it be possible to do it like you would with a nested Where-Object? Something like this: $($.AppliedConditionalAccessPolicies | Where-Object {$.id -eq 'XXX' -or $_.id -eq 'XXX'}).result -eq "reportOnlyFailure"

I dont know the full syntax for the filter but maybe you could replace

AppliedConditionalAccessPolicies/any(...

with something like

AppliedConditionalAccessPolicies/(id eq 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx')(...

I hope maybe this is usefull or you already found a solution.

If you got a solution I would be very thankfull if you could post ist.

Have a nice day,

Christian