I am trying to make sense of the SigninLogs in Log Analytics.
Because there are multiple rows for a single logon event I’m trying to combine them on CorrelationID and see if a user successfully logged on and used MFA.
Now I’m seeing some situation with 3 rows with the following information:
(Also see screenshot for summary on CorrelationId)
Does anybody have any idea why am I getting the situation above?
And if there is a better way to query the SigninLogs?
View best response
It would help to see your query, this should show the user activity in date/time order
| search "MFA"
//| where UserPrincipalName == "< name your user >"
| extend errorCode_ = tostring(Status.errorCode)
| where errorCode_ !=0
| where ConditionalAccessStatus =="failure"
| extend additionalDetails_ = tostring(Status.additionalDetails)
| extend failureReason_ = tostring(Status.failureReason)
| summarize make_set(errorCode_) , make_set(ConditionalAccessStatus) by CorrelationId , TimeGenerated, additionalDetails_, failureReason_, UserPrincipalName
| order by TimeGenerated asc
Results (I skipped some columns to simplify the output )