Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Authentication Methods–Usage & Insights
Published Jul 11 2019 09:00 AM 36.1K Views

Howdy folks,

 

Today, I’m excited to announce the public preview of Authentication Methods Usage & Insights! The reporting provided by this feature helps you understand the adoption of self-service password reset (SSPR) and Multi-Factor Authentication (MFA) in your organization. This gives you insights into how many users are registered to use SSPR and MFA, how often SSPR is used to reset passwords, as well as which methods are used for resetting passwords.

 

 

Keep reading to learn more about these awesome reporting capabilities!

 

Authentication methods registration

 

One of the most common requests we hear from customers is to have the ability to understand who is and is not registered for both MFA and SSPR. In the Registration section of the Authentication Methods Registration report, you can see how many of your users are registered for MFA and SSPR. You can also see how many users are enabled to use SSPR, and how many of these users have actually registered so they can reset their own passwords. This data is calculated by looking at each user to see which methods they’ve registered and whether they are enabled for SSPR. You can drill down and see the status of each user by clicking one of the tiles.

 

 

Authentication Methods 1.png

Figure 1. Authentication Methods Registration overview.

 

 

In addition to the overall registration numbers, you can also see the success and failure of registrations per authentication method. This allows you to understand which authentication methods your users most commonly registered and which ones are easy for them to register. This data is calculated using the last 30 days of audit logs from the combined security info registration and SSPR registration experiences. You can drill down and see the latest registration audit information for each user by clicking the chart.

 

 

Authentication Methods 2.png

Figure 2. Authentication Methods Registration details.

 

SSPR authentication methods usage

 

In addition to understanding which users are registered, you can also learn more about SSPR usage in your organization.

 

 

Authentication Methods 3.png

Figure 3. SSPR Authentication Methods Usage report.

 

 

In the Usage section of the report, you can see which authentication methods your users are using when they reset their passwords and how successful they were in using those authentication methods. This data is calculated using the last 30 days of SSPR audit logs. From here, you can drill down and see the latest SSPR audit information for each user by clicking the chart.

 

 

Authentication Methods 4.png

Figure 4. SSPR Authentication Methods Usage details

 

Try it out!

To check out Authentication Methods Usage & Insights for your tenant, do the following:

  1. Sign in to the Azure portal as a Security Reader, a Security Administrator, or a Reports Reader.
  2. Navigate to Usage & insights > Authentication methods activity.

To learn more about Authentication Methods Usage & Insights reporting, check out our documentation.

 

We would love to hear your feedback! Please submit your ideas to our feedback forum and we’ll review and respond to them. You can also let us know what you think in the comments below. As always, we’d love to hear any feedback or suggestions you have.

 

Best regards,

 

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

32 Comments
Silver Contributor

What is the difference between registered and able to reset?

Steel Contributor

Instructions are missing an important step: Go to Azure Portal > Open Azure Active Directory > Usage & insights > Authentication methods activity.

Brass Contributor

The numbers are a bit misleading as it counts *all* users, including ones with sign-in blocked (aka disabled federated users).

Copper Contributor

Here my 2 cents, 

Separate guest users from the company ones: in my example I have statistics that says you have 700 users without MFA, yes ok, but all my internal users are protected, most of the times this is the real important info. At least enable some out of the box filters. 

Another thing is, how can I understand if the user is registered in the "legacy" o365 mfa, or in the "new" myprofile? This could be an interesting data to have, so we can migrate "old configuration" users to CA MFA.

 

Anyway, great job, running pshell and excels was not "lazy admin friendly" 

This is great! Insights and reports are important in getting everyone to passwordless. Are there plans to have insights into the number of users who are using or have opted into passwordless phone sign in??

 

Brass Contributor
Any plans to improve how you calculate the size of the organization ? For example excluding shared mailboxes accounts would greatly improve the accuracy of the numbers.
Copper Contributor

<snip>

 

Copper Contributor

Great work, this is perfect timing as I was looking to get this information today!  Anyway, I got one of our MFA unregistered users to register this morning, and 5 hours later, it still says in the report that they are unregistered.  I have checked their StrongAuthenticationUserDetails and StrongAuthenticationMethods with PS and they are there and correct, but this report is not reflecting it.  Is there a 24hr delay or something like that?

Microsoft

@wroot - you can have the methods needed for password reset registered but not be enabled for password reset. Once you are both registered and enabled, you are able to reset.

 

@DamienSolodow - we are looking into this. Thanks for letting us know!

 

@Paolo Heuer - great feedback! We'll look into this. We don't have a way for you to filter based on which registration experience a user went through. However, you can use audit logs to determine that info.

 

@Matthew Levy yep! That is in the works. :)

 

@GrzeWier - That is good feedback. We'll look into this. In the meantime, you could likely accomplish this by using PowerShell. 

 

@null admin.stegri - the report does take some time to update, but it sounds like it's taking longer than usual. Did you check the last updated time on the report? If you're still running into issues, please send me a DM. Thanks!

Brass Contributor

It says none of our users are registered for MFA yet we have pretty much the entire company registered on Azure MFA (slowly migrating to conditional access).

Report was updated this morning.

Microsoft

@Marc Laflamme - thank you for letting me know. Please shoot me a DM and we can discuss further.

Copper Contributor

This is amazing! We have been begging for this visibility for over a year. This will allow us to target registration reminder communications to just those people who have not registered, reducing the email annoyance to only those who deserve it. ;)

Copper Contributor

it would helpful if it reported on ACTIVE USER counts instead of ALL USER objects in Azure AD 

Microsoft

@HB2019- this is good feedback and we will look into it. Thank you!

Copper Contributor

This is awesome! Thank you so much, I can finally tackle onboarding to SSPR with the insight into who has it already. This is perfect, the reports are super useful.

Brass Contributor

Just wanted to chime in that this is a great idea (thank you!) and hopefully will be (more) useful when we can do some filtering on the results for disabled users, shared mailboxes, etc.

Deleted
Not applicable

This feature has been a great addition, I've been using it a lot to monitor increasing usage of MFA/SSPR. I agree with all the other comments about only reporting against active users, or particular user accounts.

 

The only thing that I've noticed that isn't behaving right, or doesn't appear to be, is if a user registers for MFA with just "App Code" as their authentication method, and nothing else. In that situation it lists them as "Not Registered" under the "MFA Registered" column, but does list App Code under the "Methods Registered" column:

clipboard_image_0.png

Obviously SSPR remains correctly listed as not registered as they've only added one authentication method, and we're requiring two for that.

Copper Contributor

@Deleted we had this issue on some users, too.

Try to reset the MFA methods (via the user panel in aad) and ask the users to re-register via aka.ms/mfasetup; this has worked for us.

Deleted
Not applicable

@Paolo Heuer , thanks - good to know we're not alone here, although I'm reluctant to reset the affected user's methods when MFA is otherwise working fine for them, it just seems to be a reporting issue. Were yours the same?

Copper Contributor

@Deleted yes mfa was working but aka.ms/mfasetup was in a loop state. Support engeneer said it was a backend problem (very old mfa registration) and a reset would fix it. And so it did. 

Microsoft

Hey folks! Thank you for reporting this issue. We are investigating now!

Steel Contributor

This is GREAT that we finally got proper insights into this without the need for PowerShell. I would also like to see better calculations of the users to not calculate guests/non-active/disabled users/shared. I'm sure you can come to think of some smart way to calculate only active real users.

Steel Contributor

I'd love to see a report showing a piechart of which methods the user's have as their primary authentication method. We recommend our users to use App Notification but would like to see more of how many actually use it as their primary authentication method.

Microsoft

@Jonas Back that's great feedback! We'll look into it. :)

Copper Contributor

Love the "Usage & Insights" into this registration.  

 

One request though -- it doesn't report on Security key.   We have enabled FIDO2 Security Keys; however, Usage and Insights doesn't include that data in its reports / charts.   I would love to know how many of my users are trying out passwordless using Security Keys. 

 

Thanks!

Copper Contributor

I'm really glad we have these insights now. Most customers were uncertain on how to monitor anything else than just successful or failed password logons, so that's a big help to drive passwordless authentication.

Copper Contributor

Will this feature eventually be able to report on users that registered for MFA w/o Combined Registration turned on?  I have clients that think this should be showing all their users as registered for MFA and it is a little miss-leading because it doesn't say anywhere the scope.

Copper Contributor

Is this data available via Graph API?  We need to produce on premises reports using Power Bi and need to access this data via Graph.

Microsoft

Hi @KWornell, you can access this data using MS Graph API as documented here: https://docs.microsoft.com/graph/api/resources/authenticationmethods-usage-insights-overview?view=gr...

 

Brass Contributor

Hi,

 

Has anyone else noticed that since yesterday (almost) all the registrations are reported as Failed, while the Audit Logs show that the registrations are succesful? Also the number of registred users is going up.

 

Authentications methods and usage:

Jasper_HDa_0-1605714719892.png

Audit log

Jasper_HDa_1-1605714841620.png

 

@danielwood95   Any known issues?

 

Thanks in advance,

Jasper

 

 

Microsoft

Hi @Jasper_HDa let's connect and troubleshoot this offline to see what's going on in your tenant specifically.

Copper Contributor

It has been 3 years, and this still hasn't been updated to filter out disabled/inactive users or to allow filtering to only O365 licensed users. It is telling me that users are not MFA-enabled when I have personally set them up and seen them use MFA.

Version history
Last update:
‎Aug 19 2021 04:21 PM
Updated by: