Query Details
Identity MFA Methods Pivot Table
Query
//Create a pivot table of all non password authentication methods by user. This is useful to migrate users from less secure methods like text message to more secure methods.
//Data connector required for this query - Azure Active Directory - Signin Logs
let isGUID = "[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}";
SigninLogs
| where TimeGenerated > ago(30d)
| mv-expand todynamic(AuthenticationDetails)
| extend ['Authentication Method'] = tostring(AuthenticationDetails.authenticationMethod)
//Exclude previously satisifed, passwords and other data and any UserPrincipalName that comes through as a guid
| where ['Authentication Method'] !in ("Previously satisfied", "Password", "Other")
and isnotempty(['Authentication Method'])
and not(UserPrincipalName matches regex isGUID)
//Create pivot table of each method and the count by user
| evaluate pivot(['Authentication Method'], count(), UserPrincipalName)
| sort by UserPrincipalName ascExplanation
This query creates a pivot table that shows the count of non-password authentication methods used by each user. It excludes previously satisfied methods, passwords, and any user with a UserPrincipalName that matches a specific pattern. The table is sorted in ascending order by user. The query requires data from the Azure Active Directory - Signin Logs data connector.
Details
Matt Zorich
Released: June 17, 2022
Tables
SigninLogs
Keywords
Devices,Intune,User,AzureActiveDirectory,SigninLogs
Operators
wheremv-expandextendisnotemptymatches regexevaluatepivotsort by