SOLVED

Log Analytics SigninLogs Error: 50076. MFA Successfull and not passed at the same time

Copper Contributor

I am trying to make sense of the SigninLogs in Log Analytics.

Because there are multiple rows for a single logon event I’m trying to combine them on CorrelationID and see if a user successfully logged on and used MFA.

Now I’m seeing some situation with 3 rows with the following information:

errorCode:50076
failureReason:“User did not pass the MFA challenge.”
additionalDetails:"MFA successfully completed"
ConditionalAccessStatus:“failure” (Enforcing MFA)

(Also see screenshot for summary on CorrelationId)

 

Does anybody have any idea why am I getting the situation above?

And if there is a better way to query the SigninLogs?

 

 

1 Reply
best response confirmed by stijsseling (Copper Contributor)
Solution

@stijsseling 

 

It would help to see your query, this should show the user activity in date/time order

 

// https://docs.microsoft.com/en-gb/azure/active-directory/reports-monitoring/reference-sign-ins-error-...
SigninLogs
| search "MFA"
//| where UserPrincipalName == "< name your user >"
| extend errorCode_ = tostring(Status.errorCode) 
| where errorCode_ !=0
| where  ConditionalAccessStatus =="failure"
| extend additionalDetails_ = tostring(Status.additionalDetails) 
| extend failureReason_ = tostring(Status.failureReason) 
| summarize  make_set(errorCode_) , make_set(ConditionalAccessStatus) by  CorrelationId , TimeGenerated, additionalDetails_, failureReason_, UserPrincipalName
| order by TimeGenerated asc 

 

Results (I skipped some columns to simplify the output ) 

 

TimeGenerated additionalDetails_ failureReason_ set_errorCode_ set_ConditionalAccessStatus
2019-10-21T17:52:42.815Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"]
2019-10-23T18:59:46.198Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"]
2019-10-24T14:56:35.178Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"]
2019-10-25T20:01:11.165Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"]
2019-10-28T23:41:10.524Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"]

 

 

1 best response

Accepted Solutions
best response confirmed by stijsseling (Copper Contributor)
Solution

@stijsseling 

 

It would help to see your query, this should show the user activity in date/time order

 

// https://docs.microsoft.com/en-gb/azure/active-directory/reports-monitoring/reference-sign-ins-error-...
SigninLogs
| search "MFA"
//| where UserPrincipalName == "< name your user >"
| extend errorCode_ = tostring(Status.errorCode) 
| where errorCode_ !=0
| where  ConditionalAccessStatus =="failure"
| extend additionalDetails_ = tostring(Status.additionalDetails) 
| extend failureReason_ = tostring(Status.failureReason) 
| summarize  make_set(errorCode_) , make_set(ConditionalAccessStatus) by  CorrelationId , TimeGenerated, additionalDetails_, failureReason_, UserPrincipalName
| order by TimeGenerated asc 

 

Results (I skipped some columns to simplify the output ) 

 

TimeGenerated additionalDetails_ failureReason_ set_errorCode_ set_ConditionalAccessStatus
2019-10-21T17:52:42.815Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"]
2019-10-23T18:59:46.198Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"]
2019-10-24T14:56:35.178Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"]
2019-10-25T20:01:11.165Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"]
2019-10-28T23:41:10.524Z MFA required in Azure AD User did not pass the MFA challenge. ["50074"] ["failure"]

 

 

View solution in original post