cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Need Clarification on "Update user" operation in Audit Log

Vel
Copper Contributor

‎Apr 18 2024 11:31 AM

‎Apr 18 2024 11:31 AM

Need Clarification on "Update user" operation in Audit Log

Hello Sentinel Community,

I recently came across an event in my Azure Sentinel instance that I'm seeking clarification on. The event shows an operation labeled "Update user" and the display name as "StrongAuthenticationPhoneAppDetail identified by Azure MFA StrongAuthenticationService."

Could someone please help me understand what this event signifies and what type of activity the end user might have performed? Specifically, I'm curious about the implications of the "Update user" operation and how it relates to Azure Multi-Factor Authentication (MFA) settings.

Any insights or guidance on where to find more information would be greatly appreciated.

 

Vel_0-1713464837936.png

 

Labels:
128 Views
0 Likes
1 Reply
Reply
1 Reply
Clive_Watson

‎Apr 19 2024 03:51 AM

‎Apr 19 2024 03:51 AM

Re: Need Clarification on "Update user" operation in Audit Log

I'm pretty sure that StrongAuthenticationPhoneAppDetail holds the phone details for MFA, so you are seeing the user updating something like their phone number / setting etc...

https://answers.microsoft.com/en-us/msoffice/forum/all/powershell-to-see-what-device-mfa-is-register...
1 Like
Reply