Forum Discussion
Solved
Log Analytics SigninLogs Error: 50076. MFA Successfull and not passed at the same time
I am trying to make sense of the SigninLogs in Log Analytics. Because there are multiple rows for a single logon event I’m trying to combine them on CorrelationID and see if a user successfully logg...
It would help to see your query, this should show the user activity in date/time order
// https://docs.microsoft.com/en-gb/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes SigninLogs | search "MFA" //| where UserPrincipalName == "< name your user >" | extend errorCode_ = tostring(Status.errorCode) | where errorCode_ !=0 | where ConditionalAccessStatus =="failure" | extend additionalDetails_ = tostring(Status.additionalDetails) | extend failureReason_ = tostring(Status.failureReason) | summarize make_set(errorCode_) , make_set(ConditionalAccessStatus) by CorrelationId , TimeGenerated, additionalDetails_, failureReason_, UserPrincipalName | order by TimeGenerated ascResults (I skipped some columns to simplify the output )
TimeGenerated additionalDetails_ failureReason_ set_errorCode_ set_ConditionalAccessStatus 2019-10-21T17:52:42.815Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"] 2019-10-23T18:59:46.198Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"] 2019-10-24T14:56:35.178Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"] 2019-10-25T20:01:11.165Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"] 2019-10-28T23:41:10.524Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"]
It would help to see your query, this should show the user activity in date/time order
// https://docs.microsoft.com/en-gb/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
SigninLogs
| search "MFA"
//| where UserPrincipalName == "< name your user >"
| extend errorCode_ = tostring(Status.errorCode)
| where errorCode_ !=0
| where ConditionalAccessStatus =="failure"
| extend additionalDetails_ = tostring(Status.additionalDetails)
| extend failureReason_ = tostring(Status.failureReason)
| summarize make_set(errorCode_) , make_set(ConditionalAccessStatus) by CorrelationId , TimeGenerated, additionalDetails_, failureReason_, UserPrincipalName
| order by TimeGenerated asc
Results (I skipped some columns to simplify the output )
| TimeGenerated | additionalDetails_ | failureReason_ | set_errorCode_ | set_ConditionalAccessStatus |
|---|---|---|---|---|
| 2019-10-21T17:52:42.815Z | MFA required in Azure AD | User did not pass the MFA challenge. | ["50074"] | ["failure"] |
| 2019-10-23T18:59:46.198Z | MFA required in Azure AD | User did not pass the MFA challenge. | ["50074"] | ["failure"] |
| 2019-10-24T14:56:35.178Z | MFA required in Azure AD | User did not pass the MFA challenge. | ["50074"] | ["failure"] |
| 2019-10-25T20:01:11.165Z | MFA required in Azure AD | User did not pass the MFA challenge. | ["50074"] | ["failure"] |
| 2019-10-28T23:41:10.524Z | MFA required in Azure AD | User did not pass the MFA challenge. | ["50074"] | ["failure"] |