FIDO2 Key Audit Logs

Brass Contributor

Hi,

 

Does anyone have any KQL Queries that will give me a list of users that have used FIDO2 Keys as their method of authentication, or any audit logs that I can look up for all users to validate that these keys are being used as opposed to being available to be used.

 

We have FIDO2 Keys set as available to users in the estate and I know that they are being used where required, but in the users Sign-in logs, it isn't very clear as to where it proves that the user used FIDO2 as the authentication method.

 

When looking at a user that is using FIDO2 Key for their authentication, it doesn't show in the Basic Info tab in Entra Sign-in logs that FIDO Key use was used specifically?

 

I have a Conditional Access Policy set as Report Only to also help test this which enforces Authentication Strength for Phishing Resistant MFA, and the users I am looking at that I know use FIDO2 for authentication, would have successfully passed that CAP should it be enabled; so I know that it's working fine. I just need to be able to prove this in the audit logs for multiple users.

1 Reply

@Brok3NSpear did you manage to figure this out?

I am trying to pull similar report. I would want to know the user's who is using FIDO2 as their MFA option and the type of FIDO2 passkeys that they use. Any idea?