Query Details
Identity Summarize MFA Failures
Query
//Summarize the count of the various types of MFA failures (such as user not responding, invalid codes, user declining the authentication) //Data connector required for this query - Azure Active Directory - Signin Logs SigninLogs | where TimeGenerated > ago (90d) | where ResultType == "500121" | mv-expand todynamic(AuthenticationDetails) | project AuthenticationDetails, ResultType | extend ['MFA Failure Type'] = tostring(parse_json(AuthenticationDetails).authenticationStepResultDetail) | where ['MFA Failure Type'] startswith "MFA denied" | summarize Count=count()by ['MFA Failure Type'] | sort by Count
Explanation
This query is summarizing the count of different types of MFA failures, such as user not responding, invalid codes, and user declining the authentication. It uses the Azure Active Directory - Signin Logs data connector. It filters the logs for the past 90 days and selects only the logs with a ResultType of "500121". It then expands the AuthenticationDetails field, selects the AuthenticationDetails and ResultType fields, and creates a new field called "MFA Failure Type" by extracting a specific value from the AuthenticationDetails field. It filters for MFA failure types starting with "MFA denied" and then summarizes the count of each failure type. The results are sorted by count.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators