SOLVED
Home

Log Analytics SigninLogs Error: 50076. MFA Successfull and not passed at the same time

%3CLINGO-SUB%20id%3D%22lingo-sub-1071994%22%20slang%3D%22en-US%22%3ELog%20Analytics%20SigninLogs%20Error%3A%2050076.%20MFA%20Successfull%20and%20not%20passed%20at%20the%20same%20time%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071994%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20trying%20to%20make%20sense%20of%20the%20SigninLogs%20in%20Log%20Analytics.%3C%2FP%3E%3CP%3EBecause%20there%20are%20multiple%20rows%20for%20a%20single%20logon%20event%20I%E2%80%99m%20trying%20to%20combine%20them%20on%20CorrelationID%20and%20see%20if%20a%20user%20successfully%20logged%20on%20and%20used%20MFA.%3C%2FP%3E%3CP%3ENow%20I%E2%80%99m%20seeing%20some%20situation%20with%203%20rows%20with%20the%20following%20information%3A%3C%2FP%3E%3CTABLE%20border%3D%221%22%3E%3CTBODY%3E%3CTR%3E%3CTD%3EerrorCode%3A%3C%2FTD%3E%3CTD%3E50076%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EfailureReason%3A%3C%2FTD%3E%3CTD%3E%E2%80%9CUser%20did%20not%20pass%20the%20MFA%20challenge.%E2%80%9D%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EadditionalDetails%3A%3C%2FTD%3E%3CTD%3E%22MFA%20successfully%20completed%22%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EConditionalAccessStatus%3A%3C%2FTD%3E%3CTD%3E%E2%80%9Cfailure%E2%80%9D%20(Enforcing%20MFA)%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E(Also%20see%20screenshot%20for%20summary%20on%20CorrelationId)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anybody%20have%20any%20idea%20why%20am%20I%20getting%20the%20situation%20above%3F%3C%2FP%3E%3CP%3EAnd%20if%20there%20is%20a%20better%20way%20to%20query%20the%20SigninLogs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1071994%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1076234%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20SigninLogs%20Error%3A%2050076.%20MFA%20Successfull%20and%20not%20passed%20at%20the%20same%20time%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1076234%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F431506%22%20target%3D%22_blank%22%3E%40stijsseling%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20would%20help%20to%20see%20your%20query%2C%20this%20should%20show%20the%20user%20activity%20in%20date%2Ftime%20order%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%2F%2F%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Factive-directory%2Freports-monitoring%2Freference-sign-ins-error-codes%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Factive-directory%2Freports-monitoring%2Freference-sign-ins-error-codes%3C%2FA%3E%0ASigninLogs%0A%7C%20search%20%22MFA%22%0A%2F%2F%7C%20where%20UserPrincipalName%20%3D%3D%20%22%26lt%3B%20name%20your%20user%20%26gt%3B%22%0A%7C%20extend%20errorCode_%20%3D%20tostring(Status.errorCode)%20%0A%7C%20where%20errorCode_%20!%3D0%0A%7C%20where%20%20ConditionalAccessStatus%20%3D%3D%22failure%22%0A%7C%20extend%20additionalDetails_%20%3D%20tostring(Status.additionalDetails)%20%0A%7C%20extend%20failureReason_%20%3D%20tostring(Status.failureReason)%20%0A%7C%20summarize%20%20make_set(errorCode_)%20%2C%20make_set(ConditionalAccessStatus)%20by%20%20CorrelationId%20%2C%20TimeGenerated%2C%20additionalDetails_%2C%20failureReason_%2C%20UserPrincipalName%0A%7C%20order%20by%20TimeGenerated%20asc%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EResults%20(I%20skipped%20some%20columns%20to%20simplify%20the%20output%20)%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CTABLE%20cellspacing%3D%221%22%20cellpadding%3D%225%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTH%3ETimeGenerated%3C%2FTH%3E%0A%3CTH%3EadditionalDetails_%3C%2FTH%3E%0A%3CTH%3EfailureReason_%3C%2FTH%3E%0A%3CTH%3Eset_errorCode_%3C%2FTH%3E%0A%3CTH%3Eset_ConditionalAccessStatus%3C%2FTH%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E2019-10-21T17%3A52%3A42.815Z%3C%2FTD%3E%0A%3CTD%3EMFA%20required%20in%20Azure%20AD%3C%2FTD%3E%0A%3CTD%3EUser%20did%20not%20pass%20the%20MFA%20challenge.%3C%2FTD%3E%0A%3CTD%3E%5B%2250074%22%5D%3C%2FTD%3E%0A%3CTD%3E%5B%22failure%22%5D%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E2019-10-23T18%3A59%3A46.198Z%3C%2FTD%3E%0A%3CTD%3EMFA%20required%20in%20Azure%20AD%3C%2FTD%3E%0A%3CTD%3EUser%20did%20not%20pass%20the%20MFA%20challenge.%3C%2FTD%3E%0A%3CTD%3E%5B%2250074%22%5D%3C%2FTD%3E%0A%3CTD%3E%5B%22failure%22%5D%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E2019-10-24T14%3A56%3A35.178Z%3C%2FTD%3E%0A%3CTD%3EMFA%20required%20in%20Azure%20AD%3C%2FTD%3E%0A%3CTD%3EUser%20did%20not%20pass%20the%20MFA%20challenge.%3C%2FTD%3E%0A%3CTD%3E%5B%2250074%22%5D%3C%2FTD%3E%0A%3CTD%3E%5B%22failure%22%5D%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E2019-10-25T20%3A01%3A11.165Z%3C%2FTD%3E%0A%3CTD%3EMFA%20required%20in%20Azure%20AD%3C%2FTD%3E%0A%3CTD%3EUser%20did%20not%20pass%20the%20MFA%20challenge.%3C%2FTD%3E%0A%3CTD%3E%5B%2250074%22%5D%3C%2FTD%3E%0A%3CTD%3E%5B%22failure%22%5D%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E2019-10-28T23%3A41%3A10.524Z%3C%2FTD%3E%0A%3CTD%3EMFA%20required%20in%20Azure%20AD%3C%2FTD%3E%0A%3CTD%3EUser%20did%20not%20pass%20the%20MFA%20challenge.%3C%2FTD%3E%0A%3CTD%3E%5B%2250074%22%5D%3C%2FTD%3E%0A%3CTD%3E%5B%22failure%22%5D%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
stijsseling
New Contributor

I am trying to make sense of the SigninLogs in Log Analytics.

Because there are multiple rows for a single logon event I’m trying to combine them on CorrelationID and see if a user successfully logged on and used MFA.

Now I’m seeing some situation with 3 rows with the following information:

errorCode:50076
failureReason:“User did not pass the MFA challenge.”
additionalDetails:"MFA successfully completed"
ConditionalAccessStatus:“failure” (Enforcing MFA)

(Also see screenshot for summary on CorrelationId)

 

Does anybody have any idea why am I getting the situation above?

And if there is a better way to query the SigninLogs?

 

 

1 Reply
Highlighted
Solution

@stijsseling 

 

It would help to see your query, this should show the user activity in date/time order

 

// https://docs.microsoft.com/en-gb/azure/active-directory/reports-monitoring/reference-sign-ins-error-...
SigninLogs
| search "MFA"
//| where UserPrincipalName == "< name your user >"
| extend errorCode_ = tostring(Status.errorCode) 
| where errorCode_ !=0
| where  ConditionalAccessStatus =="failure"
| extend additionalDetails_ = tostring(Status.additionalDetails) 
| extend failureReason_ = tostring(Status.failureReason) 
| summarize  make_set(errorCode_) , make_set(ConditionalAccessStatus) by  CorrelationId , TimeGenerated, additionalDetails_, failureReason_, UserPrincipalName
| order by TimeGenerated asc 

 

Results (I skipped some columns to simplify the output ) 

 

TimeGenerated additionalDetails_ failureReason_ set_errorCode_ set_ConditionalAccessStatus
2019-10-21T17:52:42.815Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"]
2019-10-23T18:59:46.198Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"]
2019-10-24T14:56:35.178Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"]
2019-10-25T20:01:11.165Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"]
2019-10-28T23:41:10.524Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"]

 

 

Related Conversations