How to report on authentication methods in Azure

Question

Hello, I am in the process of introducing Windows Hello for Business to my organisation, and I need to access audit log information for user sign-ins, specifically to see which authentication method was used. Azure portal sign in logs does not allow me to filter on "authentication methods", so I need to know how to pull the information fromn Powershell using AzureAD, Graph or other module.

So far I have been using the "Search-UnifiedAuditLog" cmdlet, but I cannot figure out how to query the output of "AuditData" property that is returned.

Specifically I need to query the {"UserAuthenticationMethod","Value":"<>"} value of the AuditData output, and report back on all users that have authenticated with method value "262144" - which I am led to beleive is the Windows Hello for Business method? Thanks in advance

Answer 1

Hi @Matt Pollock

The user's authentication method doesn't seem to be included in the audit log, I suggest you call the list method graph API endpoint to get how the user authenticated in Azure AD.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Answer 2

Hello there, The Get-AzureADAuditSignInLogs cmdlet gets an Azure Active Directory sign in log. https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadauditsigninlogs?view=azureadps-2.0-preview Azure AD PowerShell cmdlets for reporting https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-powershell-reporting Hope this resolves your Query !! --If the reply is helpful, please Upvote and Accept it as an answer--

Answer 3

Thanks all. I have managed to find what I need (for now) in the Azure portal | Azure AD | Usage and Insights | Authentication methods activity