Users Authenticating With The MFA Companion App

# KQL query to list users authenticating with the MFA Companion app ```kusto // Lists all users authenticating with the Companion mobile app notification SigninLogs | where AuthenticationRequirement == "multiFactorAuthentication" | where ResultType == 0 | project UserPrincipalName, AuthenticationDetails | extend ['MFA Method'] = tostring(parse_json(AuthenticationDetails)[1].authenticationMethod) | where ['MFA Method'] == "Companion mobile app notification" | summarize SignInCount=count() by UserPrincipalName | sort by SignInCount desc ```

Explanation

This KQL query retrieves a list of users who have successfully authenticated using the "Companion mobile app notification" method for multi-factor authentication (MFA). Here's a simple breakdown of what the query does:

Data Source: It starts by looking at the SigninLogs, which contains records of user sign-ins.
Filter for MFA: It filters the logs to include only those sign-ins where multi-factor authentication was required (AuthenticationRequirement == "multiFactorAuthentication").
Successful Sign-ins: It further narrows down the results to only include successful sign-ins (ResultType == 0).
Select Relevant Information: It selects the UserPrincipalName (the user's identity) and AuthenticationDetails.
Extract MFA Method: It extracts the specific MFA method used by parsing the AuthenticationDetails to find entries where the method is "Companion mobile app notification".
Count Sign-ins: It counts how many times each user has signed in using this method.
Sort Results: Finally, it sorts the users by the number of sign-ins in descending order, showing the most frequent users at the top.

In summary, the query identifies and ranks users based on how often they authenticate using the Companion mobile app notification for MFA.

KQL Search

Users Authenticating With The MFA Companion App

Query

Explanation

Details

Actions