Query Details
Identity Find Users Onlyusing Textfor MFA
Query
//Find users who are only using text message as their MFA method
//Data connector required for this query - Azure Active Directory - Signin Logs
SigninLogs
| where TimeGenerated > ago(30d)
//You can exclude guests if you want, they may be harder to move to more secure methods, comment out the below line to include all users
| where UserType == "Member"
| mv-expand todynamic(AuthenticationDetails)
| extend ['Authentication Method'] = tostring(AuthenticationDetails.authenticationMethod)
| where ['Authentication Method'] !in ("Previously satisfied", "Password", "Other")
| where isnotempty(['Authentication Method'])
| summarize
['Count of distinct MFA Methods']=dcount(['Authentication Method']),
['List of MFA Methods']=make_set(['Authentication Method'])
by UserPrincipalName
//Find users with only one method found and it is text message
| where ['Count of distinct MFA Methods'] == 1 and ['List of MFA Methods'] has "text"Explanation
This query is searching for users who only use text message as their method for multi-factor authentication (MFA). It uses the Azure Active Directory - Signin Logs data connector. It filters the logs for the past 30 days and excludes guest users. It expands the AuthenticationDetails field and creates a new field called 'Authentication Method'. It then filters out certain authentication methods and empty values. The query summarizes the count of distinct MFA methods and creates a set of the MFA methods for each user. Finally, it filters for users who have only one distinct MFA method and that method is 'text'.
Details
Matt Zorich
Released: June 17, 2022
Tables
SigninLogs
Keywords
Devices,Intune,User,MFA
Operators
| where| mv-expand| extend| where| where| summarize| by| where| has