This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
As the title says, we noticed today that logging in to the Microsoft Azure mobile app on an iPhone does NOT generate an event in the Azure AD Sign-in logs when the user is authenticating using the Microsoft Authenticator app. When authenticating, the user is redirected to the Microsoft Authenticator app where they select their username, then they are redirected back to the Microsoft Azure app without being prompted for a password or MFA code.
An event is only generated in the Azure AD Sign-in logs if we log in to the Microsoft Azure mobile app or https://portal.azure.com in Safari on an iPhone and authenticate by typing in our username and password and then provide the MFA one-time code.
Why is no event generated in the Sign-in logs in the first scenario when the user is authenticating with the Microsoft Authenticator app?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 45%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJV%3C/text%3E%3C/svg%3E)
Is Passwordless sign in enabled in your environment? Azure AD Sign in logs only capture interactive sign ins
@Jai Verma Thanks for the quick reply. I'm not familiar with passwordless sign-in with Azure. We use the Microsoft Authenticator app for MFA to in our Conditional Access policies to restrict access to some of our other applications like Power BI. Is it possible to see the logs for passwordless sign-ins?
Hello @David Bird ,
It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log record to be returned in the results of an audit log search. Please clarify if this is the case
Please mark as "Accept the answer" if the above steps helps you. Others with similar issues can also follow the solution as per your suggestion
Regards,
Manu
@Manu Philip Where can I find the audit logs you are referencing?
I just checked our Azure tenant and have confirmed the "Microsoft Authenticator passwordless sign-in" method is not enabled (Azure Active Directory > Security > Authentication Methods).
Hi,
Go to https://protection.office.com. Sign in using your work or school account. In the left pane of the Security & Compliance Center, click Search, and then click Audit log search.
The Audit log search page is displayed.
Regards,
Manu
Thank you. I searched the audit log but didn't see anything. I know you said the event can take up to 24 hours to show up, but I don't see any indication that the audit log shows passwordless sign-in events. When I clicked the Activities drop down filter, I don't see anything related to passwordless sign-in or Microsoft Authenticator. Do you know what the activity would be called?
Hi,
Please check the following way of MFA auditing also
The Authentication Details or Conditional Access tab of the event details shows you the status code or which policy triggered the MFA prompt.
Check the codes corresponding to user activity from the table here: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-reporting#downloaded-activity-reports-result-codes
Thanks,
Manu
The Sign-in logs you described are the Sign-in logs I referenced in my original post Azure Active Directory > Sign-ins and Azure Active Directory > Users > Sign-ins appears to be the same log. My question in my original post is why are sign-ins performed by the Microsoft Authenticator app not being logged here? @Jai Verma said in his reply that the Sign-in logs only log interactive sign-ins, so I am looking for an answer on how I can view non-interactive sign-ins like the Microsoft Authenticator app?
A user, who is in the Security Administrator, Security Reader, Report Reader or Global Administrator role for the tenant can see the logs as per MS documentation
Thanks,
Manu
My user is a Global administrator in Azure, and I can read the logs. My problem is that events do not seem to be generated when users authenticate with the Microsoft Authenticator app.