Query Details
Audit Logs MFA Disable Azure AD
Query
AuditLogs
| where Category == "UserManagement" and OperationName == "Disable Strong Authentication"
| mv-expand TargetResource = TargetResources
| extend
Initiator = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["displayName"]), tostring(InitiatedBy["user"]["userPrincipalName"])),
InitiatorId = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["servicePrincipalId"]), tostring(InitiatedBy["user"]["id"])),
IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])]["ipAddress"]),
TargetUserPrincipalName = tostring(TargetResource["userPrincipalName"]),
TargetId = tostring(TargetResource["id"])
| project
TimeGenerated,
Category,
Initiator,
IPAddress,
OperationName,
Result,
TargetUserPrincipalName,
InitiatorId,
TargetId,
InitiatedBy,
AdditionalDetails,
TargetResources,
LoggedByService,
CorrelationId
Explanation
This query is searching through audit logs for events where the category is "UserManagement" and the operation is "Disable Strong Authentication". It then expands the target resources and creates new columns for the initiator (either an app or a user), the initiator's ID, the IP address of the initiator, the target user's principal name, and the target's ID.
Finally, it projects (or selects) the following columns to be displayed in the output: the time the event was generated, the category, the initiator, the IP address, the operation name, the result, the target user's principal name, the initiator's ID, the target's ID, who initiated the event, any additional details, the target resources, the service that logged the event, and the correlation ID.
In simpler terms, this query is looking for instances where strong authentication was disabled, and then provides detailed information about who did it, when it was done, and who it was done to.
Details
Jose Sebastián Canós
Released: March 13, 2023
Tables
Keywords
Operators