![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 28.000000000000004%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOD%3C/text%3E%3C/svg%3E)
9,396 questions
Thank you for asking this question on the Microsoft Q&A Platform.
You can view the Azure AD MFA event logs in your Azure AD portal:
Blocked User HistoryAzure AD > Security > MFA > Block/unblock usersShows the history of requests to block or unblock users.Usage for on-premises componentsAzure AD > Security > MFA > Activity ReportProvides information on overall usage for MFA Server. NPS extension and AD FS logs for cloud MFA activity are now included in the Sign-in logs, and no longer published on this report.Bypassed User HistoryAzure AD > Security > MFA > One-time bypassProvides a history of MFA Server requests to bypass MFA for a user.Server statusAzure AD > Security > MFA > Server statusDisplays the status of MFA Servers associated with your account.More info: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-reporting
To send the Azure AD log to your SIEM you'll must Stream Azure Active Directory logs to an Azure event hub
set up Azure Monitor diagnostics settings to stream Azure Active Directory (Azure AD) logs to an Azure event hub. Use this mechanism to integrate your logs with third-party Security Information and Event Management (SIEM) tools, such as Splunk and QRadar.
Hope this helps!
Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.
NOTE: To answer you as quickly as possible, please mention me in your reply.