microsoftgraph
diff --git a/‎module/docs/entra-powershell-beta/DirectoryManagement/Get-EntraBetaTenantDetail.md‎
Lines changed: 25 additions & 2 deletions b/‎module/docs/entra-powershell-beta/DirectoryManagement/Get-EntraBetaTenantDetail.md‎
Lines changed: 25 additions & 2 deletions
diff --git a/‎module/docs/entra-powershell-beta/Groups/Get-EntraBetaGroup.md‎
Lines changed: 9 additions & 10 deletions b/‎module/docs/entra-powershell-beta/Groups/Get-EntraBetaGroup.md‎
Lines changed: 9 additions & 10 deletions
diff --git a/‎module/docs/entra-powershell-beta/Reports/Get-EntraBetaAuditDirectoryLog.md‎
Lines changed: 105 additions & 3 deletions b/‎module/docs/entra-powershell-beta/Reports/Get-EntraBetaAuditDirectoryLog.md‎
Lines changed: 105 additions & 3 deletions
diff --git a/‎module/docs/entra-powershell-beta/Reports/Get-EntraBetaAuditSignInLog.md‎
Lines changed: 113 additions & 4 deletions b/‎module/docs/entra-powershell-beta/Reports/Get-EntraBetaAuditSignInLog.md‎
Lines changed: 113 additions & 4 deletions
@@ -70,7 +70,30 @@ Contoso1    bbbbbbbb-1111-2222-3333-cccccccccccc NL                {@{Capabiliti
 
 This example shows how to retrieve all tenant details.
 
-### Example 2: Get top one tenant details
+### Example 2: Get all licenses in the tenant
+
+```powershell
+Connect-Entra -Scopes 'Organization.Read.All'
+Get-EntraBetaTenantDetail | Select-Object -ExpandProperty ProvisionedPlans
+```
+
+```Output
+CapabilityStatus ProvisioningStatus Service                       AdditionalProperties
+---------------- ------------------ -------                       --------------------
+Enabled          Success            SharePoint
+Enabled          Success            exchange
+Enabled          Success            exchange
+Enabled          Success            exchange
+Enabled          Success            SCO
+Enabled          Success            exchange
+Enabled          Success            SharePoint
+Enabled          Success            CloudPC-MX
+Enabled          Success            YammerEnterprise
+```
+
+This example shows how to retrieve all licenses in the tenant.
+
+### Example 3: Get top one tenant details
 
 ```powershell
 Connect-Entra -Scopes 'Organization.Read.All'
@@ -85,7 +108,7 @@ Contoso     aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb NL                {@{Capabiliti
 
 This example shows how to retrieve details of a top one tenant in Microsoft Entra ID. You can use `-Limit` as an alias for `-Top`.
 
-### Example 3: Get directory tenant size quota
+### Example 4: Get directory tenant size quota
 
 ```powershell
 Connect-Entra -Scopes 'Organization.Read.All'
 
@@ -94,24 +94,23 @@ SimpleTestGrp                   eeeeeeee-4444-5555-6666-ffffffffffff NickName
 
 This example demonstrates how to retrieve specific group by providing ID.
 
-### Example 3: Get top five groups
+### Example 3: Retrieve Microsoft 365 (Unified) groups
 
 ```powershell
 Connect-Entra -Scopes 'GroupMember.Read.All'
-Get-EntraBetaGroup -Top 5
+Get-EntraBetaGroup -Filter "groupTypes/any(g:g eq 'Unified')" -Top 4
 ```
 
 ```Output
-DisplayName                                     Id                                   MailNickname    Description       GroupTypes
------------                                     --                                   ------------    -----------       ----------
-SimpleTestGrp                                   aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb NickName                          {}
-SimpleGroup                                     bbbbbbbb-1111-2222-3333-cccccccccccc NickName                          {}
-testGroupInAU10                                 cccccccc-2222-3333-4444-dddddddddddd testGroupInAU10 testGroupInAU10   {DynamicMembership, Unified}
-My new group                                    dddddddd-3333-4444-5555-eeeeeeeeeeee NotSet          New created group {}
-SimpleGroup                                     eeeeeeee-4444-5555-6666-ffffffffffff NickName                          {}
+DisplayName        Id                                     MailNickname     GroupTypes
+-----------        --                                     ------------     ----------
+Contoso Group      hhhhhhhh-3333-5555-3333-qqqqqqqqqqqq   contosogroup     {Unified}
+Crimson Eagle     pppppppp-4444-0000-8888-yyyyyyyyyyyy   crimsoneagle     {Unified}
+Bold Falcon      tttttttt-0000-3333-9999-mmmmmmmmmmmm   boldfalcon       {Unified}
+Misty Fox        qqqqqqqq-5555-0000-1111-hhhhhhhhhhhh   mistyfox         {Unified}
 ```
 
-This example demonstrates how to get top five groups. You can use `-Limit` as an alias for `-Top`.
+This example retrieves Microsoft 365 (Unified) groups. You can use `-Limit` as an alias for `-Top`.
 
 ### Example 4: Get a group by DisplayName
 
 
@@ -64,7 +64,90 @@ SSGM_cccccccc-2222-3333-4444-dddddddddddd      17/07/2024 07:13:08 GroupsODataV4
 
 This command gets all audit logs.
 
-### Example 2: Get first n logs
+### Example 2: List audit logs of group creation
+
+```powershell
+Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All'
+$groupId = (Get-EntraBetaGroup -SearchString 'Woodgrove DevOps').Id
+Get-EntraBetaAuditDirectoryLog -Filter "
+    activityDisplayName eq 'Add group' 
+    and targetResources/any(r:r/id eq '$groupId')"
+```
+
+```Output
+Id                                      ActivityDateTime      ActivityDisplayName Category        CorrelationId                          LoggedByService  OperationType Result  ResultReason
+--                                      ----------------      ------------------- --------        -------------                          ---------------  ------------- ------  ------------
+Directory_aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 03/06/2025 22:22:17 Add group        GroupManagement aaaa0000-bb11-2222-33cc-444444dddddd Core Directory  Add           success
+```
+
+This command gets all audit logs of group creation.
+
+### Example 3: Retrieve recent group creation audit logs
+
+```powershell
+Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All'
+Get-EntraBetaAuditDirectoryLog -Filter "activityDisplayName eq 'Add group'" -Limit 5 |
+Select-Object id, activityDateTime, 
+              @{Name="InitiatedByUPN"; Expression={ $_.initiatedBy.user.userPrincipalName }},
+              result, 
+              @{Name="GroupDisplayName"; Expression={ $_.targetResources[0].displayName }} |
+Format-Table -AutoSize
+```
+
+```Output
+Id                                      ActivityDateTime      InitiatedByUPN                Result  GroupDisplayName
+--                                      ----------------      --------------                ------  ----------------
+Directory_11111111-2222-3333-4444-555555555555  03/07/2025 18:30:45 [email protected]        success Woodgrove Developers
+Directory_aaaa0000-bb11-2222-33cc-444444dddddd  03/06/2025 22:22:17 [email protected]       success Woodgrove DevOps
+Directory_99999999-8888-7777-6666-555555555555  03/05/2025 15:10:12 [email protected]      success Security Team
+```
+
+This command retrieves recent group creation audit logs.
+
+### Example 4: Show user's updated authentication method details
+
+```powershell
+Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All'
+$userId = (Get-EntraBetaUser -UserId '[email protected]').Id
+Get-EntraBetaAuditDirectoryLog -Filter "category eq 'UserManagement' and LoggedByService eq 'Authentication Methods' and targetResources/any(r:r/id eq '$userId')"
+```
+
+```Output
+Id                                       ActivityDateTime      ActivityDisplayName             Category        CorrelationId                          LoggedByService                  OperationType  Result   ResultReason
+--                                       ----------------      -------------------             --------        -------------                          ---------------                  -------------  ------   ------------
+Authentication Methods_{GUID}  02/17/2025 13:20:08  User registered security info   UserManagement  aaaa0000-bb11-2222-33cc-444444dddddd  Authentication Methods ServiceApi   success  User registered Fido2 Authentication Method
+Authentication Methods_{GUID}  02/17/2025 13:19:57  Get passkey creation options    UserManagement  bbbb1111-cc22-3333-44dd-555555eeeeee  Authentication Methods ServiceApi   success  Successfully retrieved passkey creation options.
+Authentication Methods_{GUID}  02/15/2025 17:38:02  User registered security info   UserManagement  cccc2222-dd33-4444-55ee-666666ffffff  Authentication Methods ServiceApi   success  User registered temporary access pass method
+```
+
+This command retrieves user's updated authentication method details.
+
+### Example 5: List quarantined provisioning jobs
+
+```powershell
+Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All'
+Get-EntraBetaAuditDirectoryLog -Filter "activityDisplayName eq 'Quarantine'" -Limit 1 |
+Select-Object Id, ActivityDateTime, ActivityDisplayName, Category, LoggedByService, Result, 
+              ResultReason, 
+              @{Name="InitiatedByDisplayName"; Expression={ $_.targetResources[0].displayName }}
+```
+
+```Output
+id                     : Sync_{GUID}
+activityDateTime       : 02/14/2025 04:23:38
+activityDisplayName    : Quarantine
+category               : ProvisioningManagement
+loggedByService        : Account Provisioning
+result                 : failure
+resultReason           : This run profile is being quarantined because of: EncounteredQuarantineException; Error: Your ServiceNow credentials are invalid. Please obtain valid ServiceNow credentials, navigate to your ServiceNow enterprise application in the Azure Portal, and ente
+                         r those details in the admin credentials section of the provisioning configuration page. For directions on how to input credentials into your application, review the tutorial specific to ServiceNow found here: https://docs.microsoft.com/en-us/azure/activ
+                         e-directory/saas-apps/servicenow-provisioning-tutorial
+InitiatedByDisplayName : ServiceNow
+```
+
+This command retrieves quarantined provisioning jobs.
+
+### Example 6: Get first n logs
 
 ```powershell
 Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All'
@@ -82,7 +165,7 @@ Directory_aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb_8IAPT_617717139 17/07/2024 08:55:
 
 This example returns the first N logs. You can use `-Limit` as an alias for `-Top`.
 
-### Example 3: Get audit logs containing a given ActivityDisplayName
+### Example 7: Get audit logs containing a given ActivityDisplayName
 
 ```powershell
 Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All'
@@ -97,7 +180,7 @@ Application Proxy_aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 16/07/2024 05:13:49 Updat
 
 This command shows how to get audit logs by ActivityDisplayName. You can use `-Limit` as an alias for `-Top`.
 
-### Example 4: Get all audit logs with a given result
+### Example 8: Get all audit logs with a given result
 
 ```powershell
 Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All'
@@ -106,6 +189,25 @@ Get-EntraBetaAuditDirectoryLog -Filter "result eq 'failure'" -All
 
 This command shows how to get audit logs by the result.
 
+### Example 9: Show when users were added to a group
+
+```powershell
+Connect-Entra -Scopes 'AuditLog.Read.All, Directory.Read.All'
+$groupId = (Get-EntraBetaGroup -SearchString 'Contoso Group').Id
+Get-EntraBetaAuditDirectoryLog -Filter "
+    activityDisplayName eq 'Add member to group' 
+    and targetResources/any(r:r/type eq 'User') 
+    and targetResources/any(r:r/id eq '$groupId' and r/type eq 'Group')"
+```
+
+```Output
+Id                                      ActivityDateTime      ActivityDisplayName   Category        CorrelationId                          LoggedByService   OperationType Result  ResultReason
+--                                      ----------------      -------------------   --------        -------------                          ---------------   ------------- ------  ------------
+Directory_{GUID}  03/07/2025 23:16:31   Add member to group   GroupManagement       aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb  Core Directory   Assign        success
+```
+
+This command shows when users were added to a group.
+
 ## Parameters
 
 ### -All
 
@@ -65,7 +65,116 @@ dddddddd-3333-4444-5555-eeeeeeeeeeee Azure Active Directory PowerShell  33334444
 
 This example returns all audit logs of sign-ins.
 
-### Example 2: Get the first two logs
+### Example 2: List sign-ins failing Conditional Access policies
+
+```powershell
+Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All'
+Get-EntraBetaAuditSignInLog -Filter "conditionalAccessStatus eq 'failure'" -Limit 10 | Select-Object id, userDisplayName, createdDateTime, appDisplayName, status
+```
+
+```Output
+id              : aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
+userDisplayName : Saywer Miller
+createdDateTime : 03/08/2025 04:03:14
+appDisplayName  : Microsoft Edge
+status          : @{errorCode=50158; failureReason=External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges.; additionalDetails=The user is required to satisfy additional require
+                  ments before finishing authentication, and was redirected to another page (such as terms of use or a third party MFA provider). This code alone does not indicate a failure on your users part to sign in. The sign in logs may indicate that this challenge was succ
+                  esfully passed or failed.}
+```
+
+This example returns all audit logs of sign-ins failing Conditional Access policies.
+
+### Example 3: List sign-ins from non-compliant devices
+
+```powershell
+Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All'
+Get-EntraBetaAuditSignInLog -Filter "deviceDetail/isCompliant eq false" -Top 1 | Select-Object id, userDisplayName, appDisplayName, clientAppUsed, conditionalAccessStatus, deviceDetail, status
+```
+
+```Output
+id                      : aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
+userDisplayName         : Sawyer Miller
+appDisplayName          : Security Copilot
+clientAppUsed           : Browser
+conditionalAccessStatus : success
+deviceDetail            : @{operatingSystem=Windows10; trustType=Azure AD registered; 22223333-cccc-4444-dddd-5555eeee6666; isCompliant=False; isManaged=False; browser=Edge 133.0.0; displayName=devbox}
+status                  : @{errorCode=50011; failureReason=The {redirectTerm} '{replyAddress}' specified in the request does not match the {redirectTerm}s configured for the application '{identifier}'. Make sure the {redirectTerm} sent in the request matches one added to your ap
+                          plication in the Azure portal. Navigate to {akamsLink} to learn more about how to fix this. {detail}; additionalDetails=Developer error - the app is attempting to sign in without the necessary or correct authentication parameters.}
+```
+
+This example returns all audit logs of sign-ins from non-compliant devices.
+
+### Example 4: List sign-in failures due to a specific Conditional Access policy
+
+```powershell
+Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All'
+$policyId = "dcf66a39-965f-4958-871f-f62613b6cabd"
+Get-EntraBetaAuditSignInLog -Filter "
+    conditionalAccessStatus eq 'failure' 
+    and appliedConditionalAccessPolicies/any(c:c/id eq '$policyId' and c/result eq 'failure')" -Limit 1 | 
+Select-Object id, userDisplayName, appDisplayName, clientAppUsed, 
+              conditionalAccessStatus, status, appliedConditionalAccessPolicies
+```
+
+```Output
+id                               : aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
+userDisplayName                  : ASawyer Miller
+appDisplayName                   : Azure Portal
+clientAppUsed                    : Browser
+conditionalAccessStatus          : failure
+status                           : @{errorCode=50158; failureReason=External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges.; additionalDetails=The user is required to satisfy a
+                                   dditional requirements before finishing authentication, and was redirected to another page (such as terms of use or a third party MFA provider). This code alone does not indicate a failure on your users part to sign in. The sign in logs may ind
+                                   icate that this challenge was succesfully passed or failed.}
+appliedConditionalAccessPolicies : {@{id=22223333-cccc-4444-dddd-5555eeee6666; enforcedSessionControls=System.Object[]; displayName=CAX - All Contoso (and Guest) Users; result=failure; enforcedGrantControls=System.Object[]}, @{id=00001111-aaaa-2222-bbbb-3333cccc4444; enf
+                                   orcedSessionControls=System.Object[]; displayName=CA01 - MFA - All Apps - All Users; result=success; enforcedGrantControls=System.Object[]}, @{id=22223333-cccc-4444-dddd-5555eeee6666; enforcedSessionControl
+                                   s=System.Object[]; displayName=CA001 - Require Passwordless Auth and TAP - All Users; result=success; enforcedGrantControls=System.Object[]}, @{id=33334444-dddd-5555-eeee-6666ffff7777; enforcedSessionControls=System.Object[]; displayName=CA14 -
+                                    Require MFA for VPN Access; result=notApplied; enforcedGrantControls=System.Object[]}…}
+```
+
+This example returns all audit logs of sign-ins failures due to a specific Conditional Access policy.
+
+### Example 5: List risky sign-ins
+
+```powershell
+Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All'
+Get-EntraBetaAuditSignInLog -Filter "
+    (riskLevelDuringSignIn ne 'none' or 
+    riskEventTypes_v2/any(r:r ne 'none'))
+" -Limit 1 | 
+Select-Object id, userDisplayName, appDisplayName, clientAppUsed, 
+              riskLevelDuringSignIn, riskEventTypes_v2
+```
+
+```Output
+id                    : aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
+userDisplayName       : Sawyer Miller
+appDisplayName        : Security Copilot
+clientAppUsed         : Browser
+riskLevelDuringSignIn : low
+riskEventTypes_v2     : {unfamiliarFeatures}
+```
+
+This example returns all audit logs of risky sign-ins.
+
+### Example 6: Get sign-ins without MFA
+
+```powershell
+Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All'
+Get-EntraBetaAuditSignInLog -Filter "authenticationRequirement ne 'multiFactorAuthentication' and isInteractive eq true"
+```
+
+```Output
+Id                                   AppDisplayName                     AppId                                AppTokenProtectionStatus AuthenticationMethodsUsed AuthenticationProtocol
+--                                   --------------                     -----                                ------------------------ ------------------------- ----------------------
+aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb Azure Active Directory PowerShell  00001111-aaaa-2222-bbbb-3333cccc4444                              {}                     none
+bbbbbbbb-1111-2222-3333-cccccccccccc Azure Portal                       11112222-bbbb-3333-cccc-4444dddd5555                              {}                     none
+cccccccc-2222-3333-4444-dddddddddddd Azure Active Directory PowerShell  22223333-cccc-4444-dddd-5555eeee6666                              {}                     none
+dddddddd-3333-4444-5555-eeeeeeeeeeee Azure Active Directory PowerShell  33334444-dddd-5555-eeee-6666ffff7777                              {}                     none
+```
+
+This example returns all audit logs of sign-ins without MFA.
+
+### Example 7: Get the first two logs
 
 ```powershell
 Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All'
@@ -81,7 +190,7 @@ bbbbbbbb-1111-2222-3333-cccccccccccc Azure Portal                       11112222
 
 This example returns the first two audit logs of sign-ins. You can use `-Limit` as an alias for `-Top`.
 
-### Example 3: Get audit logs containing a given AppDisplayName
+### Example 8: Get audit logs containing a given AppDisplayName
 
 ```powershell
 Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All'
@@ -96,7 +205,7 @@ aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb Graph Explorer PowerShell  00001111-aaaa-22
 
 This example demonstrates how to retrieve sign-in logs by AppDisplayName. You can use `-Limit` as an alias for `-Top`.
 
-### Example 4: Get all sign-in logs between dates
+### Example 9: Get all sign-in logs between dates
 
 ```powershell
 Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All'
@@ -105,7 +214,7 @@ Get-EntraBetaAuditSignInLog -Filter "createdDateTime ge 2024-07-01T00:00:00Z and
 
 This example shows how to retrieve sign-in logs between dates.
 
-### Example 5: List failed sign-ins for a user
+### Example 10: List failed sign-ins for a user
 
 ```powershell
 Connect-Entra -Scopes 'AuditLog.Read.All','Directory.Read.All'