Query Details
Identity Visualize MFA Methods
Query
//Visualize the MFA types used by your users, i.e text message, mobile app notification, verification code //Data connector required for this query - Azure Active Directory - Signin Logs SigninLogs | where TimeGenerated > ago (30d) | where AuthenticationRequirement == "multiFactorAuthentication" | project AuthenticationDetails | extend ['MFA Method'] = tostring(parse_json(AuthenticationDetails)[1].authenticationMethod) | summarize Count=count()by ['MFA Method'] | where ['MFA Method'] != "Previously satisfied" and isnotempty(['MFA Method']) | sort by Count desc | render barchart with (title="Types of MFA Methods used")
Explanation
This query analyzes the MFA (Multi-Factor Authentication) types used by users. It retrieves data from the Azure Active Directory - Signin Logs data connector. The query filters the logs for the past 30 days and selects only the logs where the authentication requirement is multi-factor authentication. It then extracts the authentication details and creates a new column called 'MFA Method' to store the authentication method used. The query summarizes the count of each MFA method and filters out any previously satisfied methods or empty values. Finally, it sorts the results by count in descending order and visualizes them in a bar chart titled "Types of MFA Methods used".
Details
Matt Zorich
Released: June 17, 2022
Tables
SigninLogs
Keywords
SigninLogs,TimeGenerated,AuthenticationRequirement,AuthenticationDetails,['MFAMethod'],Count
Operators
whereago==projectextendsummarizeby!=isnotemptysort byrender