How to report on authentication methods in Azure

Matt Pollock 246 Reputation points
2023-04-20T13:41:02.14+00:00

Hello, I am in the process of introducing Windows Hello for Business to my organisation, and I need to access audit log information for user sign-ins, specifically to see which authentication method was used. Azure portal sign in logs does not allow me to filter on "authentication methods", so I need to know how to pull the information fromn Powershell using AzureAD, Graph or other module.

So far I have been using the "Search-UnifiedAuditLog" cmdlet, but I cannot figure out how to query the output of "AuditData" property that is returned.

Specifically I need to query the {"UserAuthenticationMethod","Value":"<>"} value of the AuditData output, and report back on all users that have authenticated with method value "262144" - which I am led to beleive is the Windows Hello for Business method? Thanks in advance

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,858 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,411 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,866 questions
{count} votes

3 answers

Sort by: Most helpful
  1. CarlZhao-MSFT 37,786 Reputation points
    2023-04-21T10:23:20.03+00:00

    Hi @Matt Pollock

    The user's authentication method doesn't seem to be included in the audit log, I suggest you call the list method graph API endpoint to get how the user authenticated in Azure AD.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.


  2. Limitless Technology 44,011 Reputation points
    2023-04-21T11:49:41.01+00:00

    Hello there, The Get-AzureADAuditSignInLogs cmdlet gets an Azure Active Directory sign in log. https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadauditsigninlogs?view=azureadps-2.0-preview Azure AD PowerShell cmdlets for reporting https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-powershell-reporting Hope this resolves your Query !! --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

  3. Matt Pollock 246 Reputation points
    2023-04-26T18:24:27.3233333+00:00

    Thanks all. I have managed to find what I need (for now) in the Azure portal | Azure AD | Usage and Insights | Authentication methods activity

    0 comments No comments