Get a clean login activity report in your inbox on demand. A simple form collects the requester email, then the system pulls recent authentication events, removes duplicates, and sends a CSV file by email. Ideal for IT teams and MSPs that need quick sign in reviews without digging through logs.

Here is how it works. A form trigger captures email and date values. The flow then calls three SaaS Alerts endpoints for login success, OAuth authentication, and Office 365 shell activity. All events are merged, only the useful fields are kept, and duplicate IP addresses are removed. The data is turned into a CSV, encoded, and sent with SMTP2GO as an attachment. This gives a ready to share report in a standard format. Large pulls are supported with a size setting of up to ten thousand events per call.

To set this up, you need a SaaS Alerts API key and SMTP2GO access. Map the form email field and confirm the header includes your API key. After a quick test submit, you should receive a CSV with one row per unique IP and key user details. Use it for daily security checks, client summaries, or fast audits during access reviews.

• Form based trigger collects requester email and date window.
• Three API calls to SaaS Alerts gather login success, OAuth, and Office 365 shell events.
• Merge step combines all events into one data stream.
• Field filter keeps only user, customer, IP, and location details for clarity.
• Duplicate removal ensures one row per IP address.
• CSV conversion creates a structured file with headers.
• Base64 encoding prepares the file for email attachment.
• SMTP2GO sends a final email with the CSV to the address from the form.

• Reduce manual log pulls from hours to minutes
• Unify three authentication event sources into one report
• Eliminate duplicate IP rows for cleaner analysis
• Handle up to ten thousand events per fetch
• Deliver a standard CSV that any team can read

1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
2. You'll need accounts with SaaS Alerts and SMTP2GO. See the Tools Required section above for links to create accounts with these services.
3. Open the Authentication Request Form node. Add an Email field and, if needed, a Date Range field. Copy the test URL and submit a sample to generate initial data.
4. Open Set Date and Form Variables. Confirm it maps the Email field and sets the Last 24 Hours value used by the API calls.
5. For each SaaS Alerts HTTP Request node, confirm the URL includes eventType and start parameters, and that the header includes api_key mapped to your secret value.
6. In the n8n credentials manager, double click the SMTP2GO email node, then on the 'Credential to connect with' dropdown, click 'Create new credential', then follow the on screen instructions to integrate that service.
7. Open Filter IP Information. Review the selected fields such as customer name, user name, IP, and location. Keep only fields you need for reporting.
8. Check Remove Duplicate IPs and ensure it compares by the ip field to prevent repeated rows.
9. Open Convert to CSV and verify header row is enabled so columns are labeled.
10. Open Convert CSV to Base64 and confirm encoding is set to base64.
11. Open the SMTP2GO HTTP Request node. Confirm recipient uses the Email from the Set Date and Form Variables node and the attachment pulls the generated file.
12. Run a test by submitting the form. Check your inbox for the CSV. If no email arrives, review SMTP2GO activity logs, verify your API key, and confirm the sender address is allowed.