Find successful basic authentications quickly with PowerShell

This is a quick post, but useful for anyone who has not stamped out basic authentication in their environment. Or perhaps you’ve inherited several new clients, or need to identify this across many clients. In any case, you can always use the manual method of signing into the Azure GUI and filtering sign-in logs, which I’ll cover at the end for good measure. Or, you can use this PowerShell script, which is much more efficient:

What the script does:
  1. Checks for the AzureADPreview module and installs if its not detected
  2. Connects to AzureAD via powershell
  3. Pulls any successful sign-ins using any of the basic authentication client apps and displays as a table, including the time of the sign-in, UPN, App Display Name, IP of the sign in, and the Client App (you can edit this to export to CSV if you’d like)
  4. Disconnects from AzureAD

I generated some dummy legacy authentication attempts in my dev tenant. One successful, and one failure to show something in the output. Script in action is below:

You can see below the output from the script compared to the Azure sign-in logs. Only the successful sign-ins are outputted in the PowerShell script:

If you want to confirm, or you want to manually check the sign-in logs:
  • Sign into portal.azure.com and navigate to Azure Active Directory. Select sign-in logs on the left pane under Monitoring. Change the date filter to be something greater than the last 24 hours. Add a filter. Choose Client App and click apply.
  • After selecting Client App, the filter will show None Selected. Click the filter, and select all available options under Legacy Authentication Clients. Click Apply. Any basic/legacy authentications will show in the results. See screenshots below.