Dec 18 2019
06:10 AM
- last edited on
Apr 08 2022
10:14 AM
by
TechCommunityAP
Dec 18 2019
06:10 AM
- last edited on
Apr 08 2022
10:14 AM
by
TechCommunityAP
I am trying to make sense of the SigninLogs in Log Analytics.
Because there are multiple rows for a single logon event I’m trying to combine them on CorrelationID and see if a user successfully logged on and used MFA.
Now I’m seeing some situation with 3 rows with the following information:
errorCode: | 50076 |
failureReason: | “User did not pass the MFA challenge.” |
additionalDetails: | "MFA successfully completed" |
ConditionalAccessStatus: | “failure” (Enforcing MFA) |
(Also see screenshot for summary on CorrelationId)
Does anybody have any idea why am I getting the situation above?
And if there is a better way to query the SigninLogs?
Dec 20 2019 03:37 AM
Solution
It would help to see your query, this should show the user activity in date/time order
// https://docs.microsoft.com/en-gb/azure/active-directory/reports-monitoring/reference-sign-ins-error-...
SigninLogs
| search "MFA"
//| where UserPrincipalName == "< name your user >"
| extend errorCode_ = tostring(Status.errorCode)
| where errorCode_ !=0
| where ConditionalAccessStatus =="failure"
| extend additionalDetails_ = tostring(Status.additionalDetails)
| extend failureReason_ = tostring(Status.failureReason)
| summarize make_set(errorCode_) , make_set(ConditionalAccessStatus) by CorrelationId , TimeGenerated, additionalDetails_, failureReason_, UserPrincipalName
| order by TimeGenerated asc
Results (I skipped some columns to simplify the output )
TimeGenerated | additionalDetails_ | failureReason_ | set_errorCode_ | set_ConditionalAccessStatus |
---|---|---|---|---|
2019-10-21T17:52:42.815Z | MFA required in Azure AD | User did not pass the MFA challenge. | ["50074"] | ["failure"] |
2019-10-23T18:59:46.198Z | MFA required in Azure AD | User did not pass the MFA challenge. | ["50074"] | ["failure"] |
2019-10-24T14:56:35.178Z | MFA required in Azure AD | User did not pass the MFA challenge. | ["50074"] | ["failure"] |
2019-10-25T20:01:11.165Z | MFA required in Azure AD | User did not pass the MFA challenge. | ["50074"] | ["failure"] |
2019-10-28T23:41:10.524Z | MFA required in Azure AD | User did not pass the MFA challenge. | ["50074"] | ["failure"] |
Dec 20 2019 03:37 AM
Solution
It would help to see your query, this should show the user activity in date/time order
// https://docs.microsoft.com/en-gb/azure/active-directory/reports-monitoring/reference-sign-ins-error-...
SigninLogs
| search "MFA"
//| where UserPrincipalName == "< name your user >"
| extend errorCode_ = tostring(Status.errorCode)
| where errorCode_ !=0
| where ConditionalAccessStatus =="failure"
| extend additionalDetails_ = tostring(Status.additionalDetails)
| extend failureReason_ = tostring(Status.failureReason)
| summarize make_set(errorCode_) , make_set(ConditionalAccessStatus) by CorrelationId , TimeGenerated, additionalDetails_, failureReason_, UserPrincipalName
| order by TimeGenerated asc
Results (I skipped some columns to simplify the output )
TimeGenerated | additionalDetails_ | failureReason_ | set_errorCode_ | set_ConditionalAccessStatus |
---|---|---|---|---|
2019-10-21T17:52:42.815Z | MFA required in Azure AD | User did not pass the MFA challenge. | ["50074"] | ["failure"] |
2019-10-23T18:59:46.198Z | MFA required in Azure AD | User did not pass the MFA challenge. | ["50074"] | ["failure"] |
2019-10-24T14:56:35.178Z | MFA required in Azure AD | User did not pass the MFA challenge. | ["50074"] | ["failure"] |
2019-10-25T20:01:11.165Z | MFA required in Azure AD | User did not pass the MFA challenge. | ["50074"] | ["failure"] |
2019-10-28T23:41:10.524Z | MFA required in Azure AD | User did not pass the MFA challenge. | ["50074"] | ["failure"] |