Query Details
Audit Multiple Users Same MFA Number
Query
//Query your Azure Active Directory audit logs for any phone numbers that have been registered to multiple users for MFA //Data connector required for this query - Azure Active Directory - Audit Logs AuditLogs | where TimeGenerated > ago (30d) | where Result == "success" | where Identity == "Azure Credential Configuration Endpoint Service" | where OperationName == "Update user" | extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName) | extend PhoneNumber = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))[0].PhoneNumber) | where isnotempty(PhoneNumber) | summarize Users=make_set(UserPrincipalName) by PhoneNumber | extend CountofUsers=array_length(Users) | where CountofUsers > 1
Explanation
This query searches the Azure Active Directory audit logs for phone numbers that have been registered to multiple users for multi-factor authentication (MFA). It filters the logs based on a specific time range, successful operations, and a specific identity and operation name. It extracts the user principal name and phone number from the logs and then groups the users by phone number. Finally, it filters the results to only include phone numbers that are associated with more than one user.
Details
Matt Zorich
Released: September 1, 2023
Tables
AuditLogs
Keywords
AzureActiveDirectory,AuditLogs,MFA,PhoneNumbers,Users
Operators
| where| ==| where| ==| where| ==| where| ==| extend| =| tostring| [0]| .userPrincipalName| extend| =| tostring| parse_json| tostring| parse_json| tostring| [1]| .newValue| [0]| .PhoneNumber| where| isnotempty| summarize| make_set| by| extend| =| array_length| where| >