Report on MFA Prompts

%3CLINGO-SUB%20id%3D%22lingo-sub-1009815%22%20slang%3D%22en-US%22%3EReport%20on%20MFA%20Prompts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1009815%22%20slang%3D%22en-US%22%3E%3CP%3EI%20need%20to%20provide%20evidence%20to%20management%20on%20the%20number%20of%20MFA%20prompts%20users%20are%20receiving%20to%20determine%20suitability%20of%20our%20configuration.%20I%20know%20I%20can%20select%20an%20individual%20logon%20event%20where%20conditional%20access%20is%20classed%20as%20successful%20to%20determine%20what%20authentication%20method%20is%20used%20but%20is%20there%20a%20way%20to%20generate%20a%20report%20say%20on%20all%20MFA%20authentications%20passed%20by%20App%20Notification%2C%20Phone%20Call%20or%20SMS%20and%20ignore%20those%20passing%20due%20to%20existing%20token%20or%20hybrid%20joined%20device.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1009815%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1010483%22%20slang%3D%22en-US%22%3ERe%3A%20Report%20on%20MFA%20Prompts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1010483%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20either%20export%20the%20Azure%20AD%20Sign-in%20logs%20and%20pivot%20the%20data%20or%20plug%20it%20into%20Sentinel%20or%20some%20other%20system.%20The%20new%20Insights%20dashboard%20could%20also%20help%3A%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FActiveDirectoryMenuBlade%2FInsights%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_AAD_IAM%2FActiveDirectoryMenuBlade%2FInsights%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1010897%22%20slang%3D%22en-US%22%3ERe%3A%20Report%20on%20MFA%20Prompts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1010897%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3EI%20know%20the%20dashboard%20says%20it%20is%20in%20preview%2C%20but%20I'm%20seeing%20weird%20results%2C%20and%20I%20don't%20know%20if%20this%20is%20because%20of%20our%20configuration%2C%20or%20errors%20in%20the%20report.%20%26nbsp%3B%20I%20had%20always%20assumed%20our%20configuration%20was%20not%20supported%20for%20this%20report.%26nbsp%3B%20We're%20using%20MFA%20server%20(not%20Azure%20MFA%20server)%2C%20but%20we%20see%20a%20small%20number%20of%20users%20appearing%20in%20the%20report%20and%20I%20can%20see%20no%20pattern%20behind%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1011880%22%20slang%3D%22en-US%22%3ERe%3A%20Report%20on%20MFA%20Prompts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1011880%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20if%20MFA%20server%20is%20supported%2C%20sorry.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1014409%22%20slang%3D%22en-US%22%3ERe%3A%20Report%20on%20MFA%20Prompts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1014409%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bthe%20Usage%20%26amp%3B%20Insights%20includes%20the%20data%20I%20need%20but%20I%20have%20to%20generate%20reports%20per%20application.%20I%20also%20seem%20to%20be%20limited%20to%205200%20results%20when%20downloading%20each%20applications%20sign-in%20report%20regardless%20of%20timescale%20selected.%20This%20is%20a%20pain%20for%20applications%20that%20have%20a%20large%20number%20of%20sign-ins.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1014419%22%20slang%3D%22en-US%22%3ERe%3A%20Report%20on%20MFA%20Prompts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1014419%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E.%26nbsp%3B%20Kind%20of%20guessed%20that%20was%20the%20case.%26nbsp%3B%20Just%20bizarre%20that%20it%20reports%20some%20data%26nbsp%3B%20-%20I%20expected%20to%20see%20no%20data%20at%20all.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I need to provide evidence to management on the number of MFA prompts users are receiving to determine suitability of our configuration. I know I can select an individual logon event where conditional access is classed as successful to determine what authentication method is used but is there a way to generate a report say on all MFA authentications passed by App Notification, Phone Call or SMS and ignore those passing due to existing token or hybrid joined device.

5 Replies
Highlighted

You can either export the Azure AD Sign-in logs and pivot the data or plug it into Sentinel or some other system. The new Insights dashboard could also help: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Insights

Highlighted

@Vasil MichevI know the dashboard says it is in preview, but I'm seeing weird results, and I don't know if this is because of our configuration, or errors in the report.   I had always assumed our configuration was not supported for this report.  We're using MFA server (not Azure MFA server), but we see a small number of users appearing in the report and I can see no pattern behind this.

Highlighted

Not sure if MFA server is supported, sorry.

Highlighted

Thanks@Vasil Michev the Usage & Insights includes the data I need but I have to generate reports per application. I also seem to be limited to 5200 results when downloading each applications sign-in report regardless of timescale selected. This is a pain for applications that have a large number of sign-ins.

Highlighted

Thanks @Vasil Michev.  Kind of guessed that was the case.  Just bizarre that it reports some data  - I expected to see no data at all.