Query Details
Identity Visualize MFA Challengevs Previously Satisfied
Query
//Visualize when your users are actively challenged for MFA vs when it was previously satisfied
//Data connector required for this query - Azure Active Directory - Signin Logs
SigninLogs
| where TimeGenerated > ago(90d)
| where AuthenticationRequirement == "multiFactorAuthentication"
| mv-expand todynamic(AuthenticationDetails)
| project TimeGenerated, AuthenticationDetails
| extend MFAResultStep = tostring(AuthenticationDetails.authenticationStepResultDetail)
| summarize
MFARequired=countif(MFAResultStep == "MFA completed in Azure AD"),
PreviouslySatisfied=countif(MFAResultStep == "MFA requirement satisfied by claim in the token")
by bin(TimeGenerated, 1d)
| render timechart
with (
xtitle="Day",
ytitle="Count",
title="MFA challenges vs MFA previously satisfied over time")Explanation
This query analyzes the sign-in logs from Azure Active Directory to visualize when users are actively challenged for multi-factor authentication (MFA) compared to when the MFA requirement was previously satisfied. It counts the occurrences of MFA being completed in Azure AD and MFA requirement being satisfied by claim in the token, grouping them by day. The results are then displayed in a time chart showing the count of MFA challenges and MFA previously satisfied over time.
Details
Matt Zorich
Released: June 17, 2022
Tables
SigninLogs
Keywords
SigninLogs,TimeGenerated,AuthenticationRequirement,AuthenticationDetails,MFAResultStep,MFARequired,PreviouslySatisfied
Operators
whereagomv-expandprojectextendsummarizecountifbybinrender