Share via

Last logon details of VMs in Azure

mosho 0 Reputation points
2025-07-31T13:07:13.2266667+00:00

Hi there,

We’re looking to implement an automation solution to audit last login details in our Azure estate having hundreds of VMs. The goal is to capture the latest login time and associated user profile from each VM.

We've experimented a solution using Azure Automation Account runbooks that execute the following query via Run Command on each VM:

wmic PATH Win32_NetworkLoginProfile GET Name,LastLogon

But this is extremely time-consuming with each VM taking ~5 minutes to return results. With the VM count we’re working with, the runbook fails to complete and ultimately times out. In addition to the long execution times, some VMs never return any result, likely due to Run Command failures or network issues. The automation stalls at these points and doesn’t proceed to the next VM.

Is there a more efficient method to audit last login activity at scale across large numbers of Azure VMs? Would appreciate any architectural suggestions or best practices to overcome this.

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jerald Felix 4,450 Reputation points
    2025-07-31T13:17:46.8466667+00:00

    Hello mosho!

    For auditing last logon details at scale across hundreds of Azure VMs, using serial Run Command with WMIC is inefficient and prone to failures, as you've found. Here’s how you can do this more efficiently:

    1. Use Azure Log Analytics & VM Insights:

    • Install the Log Analytics agent (Azure Monitor agent) on your VMs.

    Configure it to send security event logs to a Log Analytics workspace.

    Query events such as 4624 (Logon) using Kusto Query Language (KQL) to retrieve last logon times across all VMs centrally and efficiently.

    Sample Log Analytics query:

    text
SecurityEvent
| where EventID == 4624
| summarize LastLogon=max(TimeGenerated) by Account, Computer

    2. Parallelize with Azure Automation or Logic Apps:

    Use parallel jobs or serverless orchestration (such as Azure Logic Apps/Functions) to query multiple VMs simultaneously, reducing total collection time.

    Implement error handling and timeouts so one slow VM doesn’t block the rest.

    3. Azure Sentinel (Optional, for advanced use cases):

    If you use Azure Sentinel, it can aggregate and visualize login activity at scale using the same log sources.

    4. Ensure Network and Agent Health:

    Make sure all VMs are reporting to the Log Analytics workspace, and agent/network health is solid.

    Summary: The most scalable and robust approach is using Log Analytics—this enables real-time, centralized querying for auditing purposes. Avoid serial remote commands at large scale, as they do not scale well and are prone to failures/timeouts.

    If you need step-by-step guidance to set this up, let me know!

    Best Regards,
    Jerald Felix

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.