Query Details
Auth Methods Windows Signin
Query
// Query over all Windows Sign-ins union SigninLogs | where TimeGenerated >ago(30d) | where Resource == "Microsoft.aadiam" and AppDisplayName == "Windows Sign In" | extend authenticationMethod_ = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod) | extend succeeded_ = tostring(parse_json(AuthenticationDetails)[0].succeeded) | where succeeded_ == "true" | extend authenticationStepDateTime_ = todatetime(tostring(parse_json(AuthenticationDetails)[0].authenticationStepDateTime)) | extend displayName_ = tostring(DeviceDetail.displayName) | extend trustType_ = tostring(DeviceDetail.trustType) | extend deviceId_ = tostring(DeviceDetail.deviceId) | join kind=inner ( IdentityInfo | where TimeGenerated > ago(14d) | project TimeGenerated, AccountName, AccountObjectId | summarize arg_max(TimeGenerated, *) by AccountObjectId) on $left.UserId == $right.AccountObjectId | summarize Count=dcount(Identity) by authenticationMethod_, Identity | render piechart
Explanation
This query is looking at Windows sign-ins over the past 30 days. It filters for sign-ins related to "Microsoft.aadiam" and "Windows Sign In" applications. It then extracts information about the authentication method, whether it succeeded, the authentication step date and time, the display name of the device, the trust type, and the device ID.
Next, it joins this information with the IdentityInfo table, which contains account names and object IDs. It summarizes the count of unique identities by authentication method and identity. Finally, it renders the results as a pie chart.
Details
Thomas Naunheim
Released: September 28, 2023
Tables
SigninLogsIdentityInfo
Keywords
Devices,Intune,User
Operators
unionwhereextendjoinonprojectsummarizerendertodatetimetostringparse_jsonagodcount