Identity Third Party MFA Failures

//Retrieve sign in failures due to third party MFA (Okta/Duo etc). Azure AD handles third party MFA different to native MS MFA. A user is sent to the third party MFA service and generates code 50158. //If successful the user then generates a success code 0. When third party MFA fails Azure AD logs the 50158 result code but no corresponding 0 result code. //Data connector required for this query - Azure Active Directory - Signin Logs //Microsoft Sentinel query SigninLogs //Create a list of all result codes within a single sign in to Azure AD | summarize MFA=make_list(ResultType) by CorrelationId //Find correlation ids where the user was sent to third party MFA (ResultType 50158) but there is no subsequent success (ResultType 0) | where MFA has "50158" and MFA !has "0" //Join back to SigninLogs table to find the sign in details | join kind=inner (SigninLogs) on CorrelationId | project TimeGenerated, UserPrincipalName, UserType, AppDisplayName, IPAddress, Location, UserAgent, ResultType //Advanced Hunting query //Data connector required for this query - Advanced Hunting with Azure AD P2 License AADSignInEventsBeta //Create a list of all result codes within a single sign in to Azure AD | summarize MFA=make_list(ErrorCode) by CorrelationId //Find correlation ids where the user was sent to third party MFA (ResultType 50158) but there is no subsequent success (ResultType 0) | where MFA has "50158" and MFA !has "0" //Join back to SigninLogs table to find the sign in details | join kind=inner (AADSignInEventsBeta) on CorrelationId | project Timestamp, AccountUpn, IsGuestUser, Application, IPAddress, Country, UserAgent, ErrorCode

Explanation

This query retrieves sign-in failures due to third-party multi-factor authentication (MFA) services like Okta or Duo. It looks for cases where a user is sent to the third-party MFA service and generates a code 50158. If the MFA is successful, a code 0 is generated. However, if the third-party MFA fails, Azure AD logs the 50158 result code but not the corresponding 0 result code.

The query uses the Azure Active Directory - Signin Logs data connector to create a list of all result codes within a single sign-in to Azure AD. It then filters for correlation IDs where the user was sent to third-party MFA (result code 50158) but there is no subsequent success (result code 0). It joins back to the SigninLogs table to find the sign-in details and projects the relevant fields such as time generated, user principal name, user type, app display name, IP address, location, user agent, and result type.

For the Advanced Hunting query, it requires the Advanced Hunting with Azure AD P2 License data connector. The query is similar to the previous one, but it uses the AADSignInEventsBeta table and projects different fields such as timestamp, account UPN, guest user status, application, IP address, country, user agent, and error code.

Details

Matt Zorich

Released: June 17, 2022

Tables

SigninLogsAADSignInEventsBeta

Keywords

SigninLogs,CorrelationId,ResultType,MFA,make_list,where,has,!has,join,kind,inner,TimeGenerated,UserPrincipalName,UserType,AppDisplayName,IPAddress,Location,UserAgent,AADSignInEventsBeta,ErrorCode,Timestamp,AccountUpn,IsGuestUser,Application,Country

Operators

summarizemake_listwherehas!hasjoinkind=innerproject

KQL Search