File tree Expand file tree Collapse file tree 3 files changed +29
-2
lines changed
Expand file tree Collapse file tree 3 files changed +29
-2
lines changed Original file line number Diff line number Diff line change 9494 $servicePrincipalsOutputFile = $folderToProcess + " \AADApps_" + $tenant + " _service_principals_raw.json"
9595 $allServicePrincipals | ConvertTo-Json - Depth 99 | Out-File $servicePrincipalsOutputFile - Encoding UTF8
9696
97+ # Get all deleted service principals
98+ " Getting all deleted service principals" | Write-Log - LogPath $logFile
99+ $deletedServicePrincipals = Get-MgDirectoryDeletedItemAsServicePrincipal - All - ErrorAction Stop
100+ if ($deletedServicePrincipals -ne $null ){$deletedServicePrincipals = $deletedServicePrincipals.ToJsonString () | ConvertFrom-Json }
101+ $deletedServicePrincipalsOutputFile = $folderToProcess + " \AADApps_" + $tenant + " _deleted_service_principals_raw.json"
102+ $deletedServicePrincipals | ConvertTo-Json - Depth 99 | Out-File $deletedServicePrincipalsOutputFile - Encoding UTF8
103+
97104 $enrichedServicePrincipalEvents = @ ()
98105 $uniqueServicePrincipals = $servicePrincipalEvents | Select-Object - ExpandProperty targetResources | Group-Object - Property Id
99106
100107 # Loop through Service Principals seen in Audit Log
101108 foreach ($uniqueServicePrincipal in $uniqueServicePrincipals ){
102109 # Get Service Principal object
103110 $servicePrincipalObject = $allServicePrincipals | Where-Object {$_.Id -eq $uniqueServicePrincipal.Name }
111+ if ($null -eq $servicePrincipalObject ){
112+ $servicePrincipalObject = $deletedServicePrincipals | Where-Object {$_.Id -eq $uniqueServicePrincipal.Name }
113+ }
104114 $eventsPerServicePrincipal = $servicePrincipalEvents | Where-Object { $_.targetResources.Id -eq $uniqueServicePrincipal.Name }
105115
106116 if ($servicePrincipalObject ){
Original file line number Diff line number Diff line change 107107 $devicesOutputFile = $folderToProcess + " \AADDevices_" + $tenant + " _devices_raw.json"
108108 $allDevices | ConvertTo-Json - Depth 99 | Out-File $devicesOutputFile - Encoding UTF8
109109 $countDevices = ($allDevices | Measure-Object ).Count
110- " Total number of devices in the tenant is $ ( $countDevices ) " | Write-Log - LogPath $logFile
110+ " Total number of non-deleted devices in the tenant is $ ( $countDevices ) " | Write-Log - LogPath $logFile
111+
112+ # Get all deleted devices
113+ " Getting all deleted devices" | Write-Log - LogPath $logFile
114+ $deletedDevices = Get-MgDirectoryDeletedItemAsDevice - All - ErrorAction Stop
115+ if ($deletedDevices -ne $null ){$deletedDevices = $deletedDevices.ToJsonString () | ConvertFrom-Json }
116+ $deletedDevicesOutputFile = $folderToProcess + " \AADDevices_" + $tenant + " _deleted_devices_raw.json"
117+ $deletedDevices | ConvertTo-Json - Depth 99 | Out-File $deletedDevicesOutputFile - Encoding UTF8
111118
112119 $enrichedDeviceEvents = @ ()
113120 $uniqueDevices = $deviceEvents | Select-Object - ExpandProperty targetResources | Group-Object - Property Id
116123 foreach ($uniqueDevice in $uniqueDevices ){
117124 # Get Device object
118125 $deviceObject = $allDevices | Where-Object {$_.Id -eq $uniqueDevice.Name }
126+ if ($null -eq $deviceObject ){
127+ $deviceObject = $deletedDevices | Where-Object {$_.Id -eq $uniqueDevice.Name }
128+ }
119129 $eventsPerDevice = $deviceEvents | Where-Object { $_.targetResources.Id -eq $uniqueDevice.Name }
120130
121131 if ($deviceObject ){
Original file line number Diff line number Diff line change @@ -52,7 +52,14 @@ function Get-AADUsers {
5252 $usersOutputFile = $folderToProcess + " \AADUsers_" + $tenant + " _users_raw.json"
5353 $allUsers | ConvertTo-Json - Depth 99 | Out-File $usersOutputFile - Encoding UTF8
5454 $countUsers = ($allUsers | Measure-Object ).Count
55- " Total number of users in the tenant is $ ( $countUsers ) " | Write-Log - LogPath $logFile
55+ " Total number of non-deleted users in the tenant is $ ( $countUsers ) " | Write-Log - LogPath $logFile
56+
57+ # Get all deleted users
58+ " Getting all deleted users" | Write-Log - LogPath $logFile
59+ $deletedUsers = Get-MgDirectoryDeletedItemAsUser - All - ErrorAction Stop
60+ if ($deletedUsers -ne $null ){$deletedUsers = $deletedUsers.ToJsonString () | ConvertFrom-Json }
61+ $deletedUsersOutputFile = $folderToProcess + " \AADUsers_" + $tenant + " _deleted_users_raw.json"
62+ $deletedUsers | ConvertTo-Json - Depth 99 | Out-File $deletedUsersOutputFile - Encoding UTF8
5663
5764 # Get all users settings
5865 " Getting all users settings" | Write-Log - LogPath $logFile
You can’t perform that action at this time.
0 commit comments