Jóhannes's blog

Who has been logging in?

·

Did you know that you can see the entra user GUID of the accounts that have been logging into intune managed devices?

You only need the Microsoft.Graph.Authentication Module to run this, as I don’t rely on mggraph cmdlets to do anything (and neither should you!)

All you need to do is input the Intune device GUID, and it will output a list of all the users that have been logging in lately


function Get-IntuneDeviceLogonInfo {
    param (
        [Parameter(Mandatory = $true)]
        [string]$DeviceGuid
    )

    # authenticate to Graph with required scopes
    # Scopes: DeviceManagementManagedDevices.Read.All, User.Read.All
    # Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All","User.Read.All"

    # lets check graph for the device metadata
    # one time adam gross killed 2 flies with one tictac by throwing it across the room. "All in the wrist" he said.
    $deviceUrl = "https://graph.microsoft.com/beta/deviceManagement/managedDevices/$DeviceGuid"
    $deviceResponse = Invoke-MgGraphRequest -Method GET -Uri $deviceUrl

    if (-not $deviceResponse.usersLoggedOn) {
        Write-Host "No logged-on users found for device $DeviceGuid"
        return
    }

    $results = @()

    foreach ($user in $deviceResponse.usersLoggedOn) {
        $userId = $user.userId
        $lastLogon = $user.lastLogOnDateTime

        # the device metadata only contains the entra userID GUID, so lets resolve that
        $userUrl = "https://graph.microsoft.com/beta/users/$userId"
        $userResponse = Invoke-MgGraphRequest -Method GET -Uri $userUrl

        $results += [PSCustomObject]@{
            UserPrincipalName = $userResponse.userPrincipalName
            LastLogonDateTime = $lastLogon
        }
    }

    return $results
}

Example use:

Get-IntuneDeviceLogonInfo -DeviceGuid 8ebef90e-24e9-450b-9185-5e81ed605693

The output will look like this:

UserPrincipalName LastLogonDateTime
----------------- -----------------
anthony@zawa.com       11.11.2025 09:36:07
inoue@zawa.com         18.11.2025 10:36:49
adamgross@zawa.com     18.11.2025 17:11:40
martin@zawa.com        20.11.2025 12:34:03

Ive been using this to keep track of who has been using our loaner laptops, with great success.

2 responses to “Who has been logging in?”

  1. Anthony J. Fontanez Avatar
    Anthony J. Fontanez

    Why you tracking my logins? Stop spying on me!

    Like

    Reply
    1. Jóhannes Kristjánsson Avatar
      Jóhannes Kristjánsson

      because you are an authentication menace

      Like

      Reply

Leave a reply to Anthony J. Fontanez Cancel reply

Get updates

From art exploration to the latest archeological findings, all here in our weekly newsletter.

Subscribe