🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Azure AD

How to Export Guest User Sign-ins in Microsoft 365

Keeping a close watch on guest user sign-ins in Microsoft 365 is vital to secure your organization from potential threats. Without proper monitoring, guest users could increase your attack surface by accessing sensitive data through unmanaged devices or applications. Identifying and addressing these risks is essential to safeguard your environment from unauthorized activities. This guide will walk you through the strategies to audit and export guest user sign-ins in Microsoft 365, helping you take control of external access in the organization.

Using Microsoft Entra Admin Center

Microsoft 365 Permission Required
View-only Audit Log Role Least Privilege
Global Admin Most Privilege
  • Navigate to the Sign-in logs tab in the Microsoft Entra admin center.
  • Click on Add filters, select UserType, and then click Apply.
  • Under the UserType, select Guest and click Apply to audit guest user login activities in Microsoft Entra ID.
Using Microsoft Entra Admin Center
  • Note: By default, the logs show data for the last 24 hours, but you can customize the date range up to 30 days.

Using PowerShell

Microsoft 365 Permission Required
View-only Audit Log Role Least Privilege
Global Admin Most Privilege
  • Install and connect to the Microsoft Graph Beta PowerShell module using the cmdlets below.
  • Windows PowerShell Windows PowerShell
     Install-Module Microsoft.Graph.Beta
    Connect-MgGraph -Scopes AuditLog.Read.All
  • Run the below cmdlet in PowerShell to view guest users’ login details in Microsoft 365.
  • Windows PowerShell Windows PowerShell
     Get-MgBetaAuditLogSignIn -Filter "UserType eq 'Guest'" | Format-Table CreatedDateTime, UserPrincipalName, AppDisplayName, ResourceDisplayName
Using PowerShell

Using Powershell Script

Microsoft 365 Permission Required
View-only Audit Log Role Least Privilege
Global Admin Most Privilege
  • Retrieving guest user sign-ins in Microsoft 365 often requires script knowledge or navigating through several admin center tabs.
  • To simplify this process, we have developed a user-friendly PowerShell script that streamlines the task.
  • This script generates a dedicated report on Microsoft 365 guest user login activities, capturing both successful and failed login attempts.
  • Download and execute the script below to export Microsoft 365 users’ sign-in logs effectively.

Using Powershell Script
GetEntraSigninLogs.ps1
  • To get only guest user login attempts, run the script as shown below.
  • ./GetEntraSigninLogs.ps1 -GuestUserSignInsOnly

Audit Guest Sign-in Logs to Prevent Unauthorized Access in Microsoft 365

AdminDroid’s Azure AD auditing tool offers detailed reports on guest user sign-ins, which enables admins to monitor their access and detect suspicious activities. It streamlines guest user management with rich filtering, customizable columns, and advanced report sharing features for better security and oversight.

Investigate Risky Guest Sign-ins to Avoid Security Breaches

Monitor risky guest user sign-ins to detect unusual login behaviors, access from compromised credentials, and other anomalies for early threat detection.

Stay Updated on Sign-ins from Unmanaged Devices

Receive real-time notifications for guest user sign-ins from unmanaged devices with AdminDroid's alerting feature. Identify risky access attempts for enhanced compliance and data protection.

Get Regular Updates on Guest User Logins

Utilize the scheduling feature to get guest user sign-in reports daily, weekly, or monthly to your inbox, which helps monitor and manage excessive permission allocations in your organization.

Track External User Activities in Microsoft 365

Use the external user activity dashboard to monitor all activities of external users across Microsoft 365, including Azure AD, Exchange Online, SharePoint, Teams, and more, to ensure secure collaboration.

Audit External User Creations to Identify Illegitimate Accounts

Regularly review external user creations to identify unauthorized accounts, detect anomalies, and prevent potential risks like privilege misuse, insider threats, or data breaches.

Identify Disabled Guest User Login Attempts in Microsoft 365

Detect inactive guest user sign-in attempts with the help of AdminDroid's disabled user login report and prevent unauthorized logins to critical resources.

In summary, AdminDroid helps you monitor suspicious sign-in attempts by guest users in Microsoft 365. With its comprehensive reports, you can ensure secure collaboration with external users and enhance your organization's security.

Explore a full range of reporting options

Important Tips

Assign the Guest Inviter role in Entra ID to control who can invite guest users, limit access to authorized users, and reduce security risks.

Implement a blocklist policy in Entra ID to prevent guest users from signing in from untrusted domains, which helps avoid accidental sharing of sensitive resources.

Use access reviews in Microsoft Entra ID to regularly assess guest user activity and remove inactive accounts, to ensure only active users have sign-in access.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints while managing guest users’ Microsoft 365 sign-in logs.

Error The term 'Connect-MgGraph' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error will occur if the Microsoft Graph Beta module isn't installed properly.

Fix Install the Microsoft Graph Beta PowerShell module. If it is already installed, updating it could resolve the issue.
// Run the below cmdlet for installing it.
Install-Module Microsoft.Graph.Beta
// Run the below cmdlet for updating it.
Update-Module Microsoft.Graph.Beta

Error Get-MgAuditLogSignIn : One or more errors occurred.

This error typically occurs when you have multiple versions of the Microsoft Graph PowerShell module installed. To identify the available versions of the Microsoft Graph PowerShell module, run the following cmdlet.

Get-Module -Name Microsoft.Graph -ListAvailable

Fix To fix the problem, you need to uninstall all the older versions of the Graph module.
// Replace <version_number> with the specific version you want to uninstall, e.g., '1.0.0'.
Uninstall-Module -Name "Microsoft.Graph" -RequiredVersion <version_number> –Force

Error Get-MgAuditLogSignIn : You cannot perform the requested operation, required scopes are missing in the token.

This error occurs when you don't have required permissions to audit the sign-in events in Microsoft Graph Beta PowerShell module.

Fix Connect to the Microsoft Graph Beta PowerShell module using the below cmdlet and allow permission to access sign-in logs.
Connect-MgGraph -Scopes "AuditLog.Read.All"

Error ./GetEntraSigninLogs.ps1 cannot be loaded because running scripts is disabled on this system.

This error occurs when the system's execution policy blocks the running of PowerShell scripts that are not digitally signed.

Fix To resolve the issue, change the execution policy by running the cmdlet below.
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted

Error AADSTS500571 - Guest user account is disabled

This error occurs when a guest user tries to sign-in to an application integrated with Microsoft Entra ID, but their account is disabled on the resource tenant.

Fix To resolve the issue, resource tenant owner need to re-enable the guest account by running the cmdlet below.
// Replace <UserID> with the guest user's ID or email.
Update-MgUser -UserId <UserID> -AccountEnabled:$true
Frequently Asked Questions

Keep Track of Guest User Sign-ins in Microsoft 365 to Prevent Security Breaches

1. How to find guest users’ last logon time in Microsoft 365?

Exporting the last logon time of guest users in Microsoft 365 helps detect inactive accounts and ensures that access is removed when no longer needed. This approach reduces the risk of unauthorized access through inactive guest accounts.

Find guest users’ last logon time in Microsoft Entra ID

  • Navigate to All users in the Microsoft Entra admin center.
  • Click on Add filter, select ‘User type’ as Guest and then click Apply.
  • In ‘Manage View’, select Edit columns and choose 'Last interactive & non-interactive sign-in time' columns from the drop-down.
  • Click Save to get the last login time of Microsoft 365 guest users.
get-guest-users-last-logon-time-in-microsoft-entra-id

Note: Interactive sign-ins are performed directly by users, requiring credentials or MFA. Non-interactive sign-ins occur in the background, where applications or systems automatically use tokens to maintain the user's session without requiring direct input.

Exporting the guest users' last sign-in time report is not possible through the Microsoft Entra admin center. However, with PowerShell, admins can efficiently fetch and export the guest users' last login details.

Get last login dates for all guests using PowerShell

Connect to the Microsoft Graph PowerShell with the required permission using the cmdlet below.

Connect-MgGraph -Scopes "AuditLog.Read.All"

Run the below cmdlet to retrieve the last sign-in time of all guest users in Microsoft 365.

Get-MgBetaUser -Filter "UserType eq 'Guest'" -Property SignInActivity | Select UserPrincipalName, DisplayName, @{Name="LastSignInDateTime";Expression={$.SignInActivity.LastSignInDateTime}}, @{Name="LastNonInteractiveSignInDateTime";Expression={$.SignInActivity.LastNonInteractiveSignInDateTime}} | Format-Table

Moreover, you can use the script below to export Microsoft 365 guest users’ last logon time report. The report includes details such as UPN, last sign-in time, inactive days, license details, account status, and more.

M365GuestsLastLoginTimeReport.ps1

While native methods allow you to audit guest users' sign-in logs for the past 30 days, the above PowerShell script gives you the ability to schedule the script to run weekly or monthly, offering timely insights for extended audit purposes.

2. How to get non-interactive login activity of Microsoft 365 guest users?

Non-interactive sign-ins refer to the logins done on behalf of a user, such as using tokens or SSO for web apps and Windows applications. Monitoring these events helps identify security gaps in the sign-in process, which enables the implementation of MFA for app logins, stored credentials, or automated processes.

View non-interactive sign-ins of guest users in Microsoft Entra ID

  • Log in to the Microsoft Entra admin center.
  • Navigate to the Sign-in logs tab under Identity»Users»All Users.
  • Click on the ‘User sign-ins (non-interactive)’ tab and Add filter on ‘User type’ as Guest. This displays the non-interactive sign-ins of guest users in Microsoft 365.

Get guest users’ non-interactive sign-ins using PowerShell

Run the below cmdlet to find Microsoft 365 non-interactive guest sign-ins using PowerShell.

Get-MgBetaAuditLogSignIn -Filter "(signInEventTypes/any(t: t ne 'interactiveUser') and (UserType eq 'Guest'))" | Select-Object CreatedDateTime, UserPrincipalName, AppDisplayName, ResourceDisplayName | Format-Table

While the native methods provide basic details, AdminDroid offers detailed insights into non-interactive sign-ins of guest users with graphical charts and advanced filters for deeper analysis.

Track non-interactive guest sign-ins to spot unusual login patterns in Microsoft 365!

  • With non-interactive sign-ins report, access details such as application name, username, sign-in time, location, MFA status, device browser, etc.
  • This report enables you to identify the source of the non-interactive sign-ins and enhance your organization’s security.
track-non-interactive-sign-ins-of-guest-users-admindroid

3. How to find the failed guest user sign-ins in Microsoft 365?

Auditing failed guest user sign-ins in Microsoft 365 is vital for both troubleshooting access issues and enhancing security. Failed sign-ins may indicate attempts to access resources with incorrect credentials, expired passwords, or potential security threats from unauthorized users. Monitoring these failures helps admins quickly address issues and ensure secure collaboration with external users.

Track guest user login failures in Microsoft 365

  • Navigate to the Sign-in logs tab in Microsoft Entra admin center.
  • Click on Add filters, choose Status, then click Apply.
  • Select Failure, and then click Apply.
  • Again, choose Add filters and select ‘User type’ as Guest.
  • Click Apply to view Microsoft 365 guest users failed logins.
get-login-failures-of-guest-users-in-entra-id

Retrieving guest user login failures through the admin portal involves navigating through multiple tabs and sections, which can be cumbersome. Using PowerShell, admins can streamline this process effectively.

Get guest users' failed sign-ins using PowerShell

Execute the cmdlet below to get Microsoft 365 guest user’s failed login attempts using PowerShell.

Get-MgBetaAuditLogSignIn -Filter "Status /Errorcode ne 0 and UserType eq 'Guest'" | Select-Object CreatedDateTime, UserPrincipalName, AppDisplayName, ResourceDisplayName | Format-Table

In addition, you can use the given script in native solution as described below to export a report on all failed sign-ins of guest users in Microsoft 365.

./GetEntraSigninLogs.ps1 -GuestUserSignInsOnly –Failure

While native methods provide limited export options, AdminDroid allows you to export the data you need in various formats such as PDF, CSV, HTML, XLS, XLSX, and even computer-friendly RAW format for integration with other tools.

Identify and address security risks quickly with AdminDroid’s failed sign-ins report!

  • Identify the root cause for failed sign-ins of guest users to mitigate the risks in your Microsoft 365 environment.
  • Also, this report gives you details, such as the failed sign-in time, signed-in user, signed-in app, IP address, failure cause, etc.
audit-guest-user-login-failures-admindroid

4. How to enable self-service sign up for guest users in Microsoft 365?

A self-service sign-up is a feature in Microsoft Entra ID that allows external users, such as partners or collaborators, to register for access to applications independently. This eliminates the need for direct invitations from the organization.

Enabling this feature simplifies external user onboarding, reduces admin tasks, and ensures smooth collaboration.

Enable Self-service Sign-up for Guests in Microsoft Entra

  • Log in to the Microsoft Entra admin center.
  • Go to Identity»External Identities»External collaboration settings.
  • Set the ‘Enable guest self-service sign up via user flows’ toggle to Yes and click Save.
enable-self-service-sign-up-in-entra-id

After enabling self-service sign-up for guest users, you can create self-service sign up user flow in Microsoft Entra ID to allow external users to register for access to specific applications. This feature streamlines the sign up process, offering a flexible and scalable solution for managing external access in a B2B collaboration environment.

5. How to require multi-factor authentication for guest user sign-ins in Microsoft 365?

Requiring multi-factor authentication (MFA) for external users ensures secure access to sensitive applications. This is essential when external users need access to critical resources in your organization. It prevents credential-based attacks and ensures their authentication methods are verified to block logins from untrusted or compromised sources.

Create Conditional Access policy to require MFA for guest users

  • Go to the Conditional Access Policies tab in Microsoft Entra admin center.
  • Click the ‘New policy from template’ and navigate to the Zero trust tab.
  • Select Require multifactor authentication for guest users and then click ‘Review + create’.
  • By default, the policy state is set to ‘Report-only’. You can also change the Policy state to On and enforce it.
  • Review the template policy conditions to verify its configurations.
    • Under Users and groups, the policy includes all guest and external users and excludes only the current user.
    • In case of Cloud apps, the policy applies to all apps.
    • In Grant access control, the policy requires multifactor authentication.
  • Click Create to enforce MFA for guest users using Conditional Access policy in Microsoft 365.

Though multifactor authentication (MFA) enforces the use of multiple verification methods, such as a password and an OTP, to secure user access, authentication strength goes a step further. It specifies which MFA methods should be used based on the resource or user context, such as requiring phishing-resistant methods for sensitive resources.

Configure authentication strength for external users using Microsoft Entra CA policy

  • Navigate to Conditional Access policies page and click ‘New policy’.
  • In the Assignment section, click the link under Users.
    • For Include, choose ‘Select users and groups’, and then select Guest or external users. Pick the guest user types to which this policy should apply.
    • For Exclude, select ‘Users and groups’ and add your organization’s break-glass accounts.
  • Navigate to the Target resources»Resources (formerly cloud apps)»Include and select All resources (formerly 'All cloud apps').
  • Click the link under Access controls » Grant and select Grant access (which is selected by default).
  • Then, enable Require authentication strength and choose the built-in or custom authentication strength from the drop-down.
  • Confirm your settings and switch the Enable policy toggle from ‘Report-only’ to On.
  • Click Create to apply the CA policy for external users in Microsoft 365.

Note: You cannot configure "Require authentication strength" and "Require multifactor authentication" in the same Conditional Access policy.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
User Help Manuals Compliance Docs
x
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!