Microsoft Office 365 Workload = Azure Active Directory - Where is documentation on the meaning of the values correlated with the field named "UserAuthenticationMethod" within the "UserLoggedIn" event type under Microsoft Office 365?

Marvin McGuire 20 Reputation points
2023-07-19T11:35:44.2266667+00:00

Below is a redacted payload I am viewing in QRadar. Within the payload is a field named "UserAuthenticationMethod" followed by a variable value. In this case it is 16. I am wondering where I can view documentation which shows what these values mean in terms of authentication? Please someone help.

{"CreationTime":"2023-07-19T10:31:42","Id":"ddd5f7e3-932c-4886-843c-1519748f1300","Operation":"UserLoggedIn","OrganizationId":"redacted","RecordType":15,"ResultStatus":"Success","UserKey":"redacted","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"redacted","ObjectId":"00000002-0000-0000-c000-000000000000","UserId":"redacted","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.86"},{"Name":"UserAuthenticationMethod","Value":"16"},{"Name":"RequestType","Value":"Login:login"}],"ModifiedProperties":[],"Actor":[{"ID":"redacted","Type":0},{"ID":"redacted","Type":5}],"ActorContextId":"a72dda32-ee80-4da8-a3ac-ec0e9e41a50a","ActorIpAddress":"62.67.251.130","InterSystemsId":"dc7088bf-5adc-448d-a3df-24f1a6a3a895","IntraSystemId":"ddd5f7e3-932c-4886-843c-1519748f1300","SupportTicketId":"","Target":[{"ID":"00000002-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"a72dda32-ee80-4da8-a3ac-ec0e9e41a50a","ApplicationId":"a93d9727-9989-48a9-ac5a-11702e33732f","DeviceProperties":[{"Name":"Id","Value":"54177c26-b44a-4c71-9f5c-7c20d2c58869"},{"Name":"DisplayName","Value":"BTA-L-PC0Z61DL"},{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Edge"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"TrustType","Value":"0"},{"Name":"SessionId","Value":"9e670809-f72e-4324-a408-ca94e930b13c"}],"ErrorNumber":"0"}
Microsoft Security | Microsoft Graph
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 119.9K Reputation points MVP Volunteer Moderator
    2023-07-19T15:27:54.29+00:00

    Some of those enum values can be found here: https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-authenticationmethod---type-edmint32

    Others, you can find in the specific workload's documentation. Yet others are simply not documented publicly, so we can only guess about them...


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.