How to find out which of several authenticators was used in a sign-in?

Question

How to find out which of several authenticators was used in a sign-in?

Tilman Schmidt 120

We are using MFA with Microsoft Authenticator for user sign-ins to our tenant. Many of our users have registered more than one Microsoft Authenticator instance. Sometimes this is deliberate, in order to have a backup in case the primary smartphone is unavailable. (Which is explicitly allowed.) Sometimes it is by negligence when a smartphone is replaced, the user registers the new one but does not remove the old one. And sometimes it is through malicious intent when an AitM attacker succeeds in registering her own MS Authenticator instance via a phishing attack.

In order to get a grip on that, I would like to create a report showing which of these MS Authenticator instances are actually used for signing in, and from which location. I started with a Sentinel KQL query like this:

SigninLogs

| extend AuthenticationDetails = parse_json(AuthenticationDetails)

| mv-expand AuthenticationDetails

| where parse_json(AuthenticationDetails)["authenticationMethod"] == 'Mobile app notification'

| project CreatedDateTime, UserPrincipalName, AppDisplayName, ResultType, ResultDescription, IPAddress, LocationDetails

This gives me all sign-in events where an MS Authenticator was used, showing the time, user, application accessed, and location from which the access was performed, but lacks the information which specific instance of MS Authenticator was used. Where is that information logged and how can I retrieve it in Sentinel?

James Hamil 27,221 Reputation points Microsoft Employee Moderator

2025-01-14T20:33:00.8033333+00:00
Hi @Tilman Schmidt , please try this query and let me know your results:

SigninLogs | extend AuthenticationDetails = parse_json(AuthenticationDetails) | mv-expand AuthenticationDetails | where parse_json(AuthenticationDetails)["authenticationMethod"] == 'Mobile app notification' | project CreatedDateTime, UserPrincipalName, AppDisplayName, ResultType, ResultDescription, IPAddress, LocationDetails, AuthenticationDetails

This will provide you with the AuthenticationDetails field, which includes metadata about the specific instance of the Microsoft Authenticator used. You can then parse this field to extract the relevant information.

Aside from KQL, have you taken a look at sign-in logs?
Tilman Schmidt 120 Reputation points

2025-01-15T10:53:17.68+00:00
Hi @James Hamil ,

thanks for your reply and suggestions.

This is what an example result of the query with AuthenticationDetails included in the project clause looks like:

CreatedDateTime,UserPrincipalName,AppDisplayName,ResultType,ResultDescription,IPAddress,LocationDetails,AuthenticationDetails 15 Jan 2025 10:07:41,******@xxxxx.de,Microsoft Office,50074,Strong Authentication is required.,xxx.xxx.xxx.xxx,"{""city"":""xxxxx"",""state"":""xxxxx"",""countryOrRegion"":""xx"",""geoCoordinates"":{""latitude"":xx.xxxxxx,""longitude"":xx.xxxxxx}}","{""authenticationStepDateTime"":""2025-01-15T09:07:49.0000000Z"",""authenticationMethod"":""Mobile app notification"",""succeeded"":false,""authenticationStepResultDetail"":""Authentication in progress"",""authenticationStepRequirement"":""Primary authentication"",""StatusSequence"":1736932069083,""RequestSequence"":1736932061906}"

Which of the AuthenticationDetails fields should I use to identify the Authenticator?

I did look into the sign-in logs in Entra admin center but could not find anything identifying the specific Authenticator instance.

For Authenticator events:

The "Basic info" tab lists a total of nine IDs in UUID format, but none of them looks as if it might refer to the Authenticator instance.

The "Device info" tab only mentions the Windows PC, nothing on the Authenticator device.

The "Authentication Details" tab shows:
Authentication method: Mobile app notification
Authentication method detail: (empty)
Succeded: true
Result detail: MFA successfully completed
Requirement: (empty)

The "Authentication Events" tab says: "No authentication events were triggered as part of the authentication."

The "Additional Details" tab says just: "Login hint present True".
Tilman Schmidt 120 Reputation points

2025-01-15T11:18:07.1333333+00:00

I used a bad sample from the query result.

Here's a better one:

CreatedDateTime,UserPrincipalName,AppDisplayName,ResultType,ResultDescription,IPAddress,LocationDetails,AuthenticationDetails

15 Jan 2025 11:36:05,******@xxx.de,Outlook Mobile,0,,xxx.xxx.xxx.xxx,"{""city"":""xxx"",""state"":""xxx"",""countryOrRegion"":""xx"",""geoCoordinates"":{""latitude"":xx.xxxxxxxxxxxxxxx,""longitude"":xx.xxxxxxxxxxxxxxx}}","{""authenticationStepDateTime"":""2025-01-15T10:36:05.0000000Z"",""authenticationMethod"":""Mobile app notification"",""succeeded"":true,""authenticationStepResultDetail"":""MFA successfully completed"",""authenticationStepRequirement"":""Primary authentication"",""StatusSequence"":1736937365352,""RequestSequence"":1736937340405}"

(I tried to edit it into my first comment but the forum threw an error when I clicked on "Edit".)
James Hamil 27,221 Reputation points Microsoft Employee Moderator

2025-01-15T22:31:29.64+00:00

Hi @Tilman Schmidt , it looks like your replies are deleted. Was this intentional?
Tilman Schmidt 120 Reputation points

2025-01-16T16:53:22.88+00:00

Sorry @James Hamil , I was robo-suspended by the forum system. No idea why. It seems to be fixed now and you should be able to see my replies again.

Thanks, Tilman
Tilman Schmidt 120 Reputation points

2025-01-27T07:48:47.6733333+00:00

Hi @James Hamil ,

were you able to see anything useful in the log entries I posted?

Thanks, Tilman
James Hamil 27,221 Reputation points Microsoft Employee Moderator

2025-01-28T00:28:33.8033333+00:00

Hi @Tilman Schmidt , sorry for the delay. I've been trying to get some more answers for you so I reached out to the product group. All signs unfortunately point to this not being possible at the moment, but I'm trying to find a solution. I'll let you know as soon as I can!

Best,

James
James Hamil 27,221 Reputation points Microsoft Employee Moderator

2025-02-04T23:36:25.2333333+00:00

Hi @Tilman Schmidt , I sent you a private message.

2 answers

Your answer

James Hamil 27,221 Reputation points Microsoft Employee Moderator

2025-01-14T20:33:00.8033333+00:00

Hi @Tilman Schmidt , please try this query and let me know your results:

SigninLogs | extend AuthenticationDetails = parse_json(AuthenticationDetails) | mv-expand AuthenticationDetails | where parse_json(AuthenticationDetails)["authenticationMethod"] == 'Mobile app notification' | project CreatedDateTime, UserPrincipalName, AppDisplayName, ResultType, ResultDescription, IPAddress, LocationDetails, AuthenticationDetails

This will provide you with the AuthenticationDetails field, which includes metadata about the specific instance of the Microsoft Authenticator used. You can then parse this field to extract the relevant information.

Aside from KQL, have you taken a look at sign-in logs?
Tilman Schmidt 120 Reputation points

2025-01-15T10:53:17.68+00:00

Hi @James Hamil ,

thanks for your reply and suggestions.

This is what an example result of the query with AuthenticationDetails included in the project clause looks like:

CreatedDateTime,UserPrincipalName,AppDisplayName,ResultType,ResultDescription,IPAddress,LocationDetails,AuthenticationDetails 15 Jan 2025 10:07:41,******@xxxxx.de,Microsoft Office,50074,Strong Authentication is required.,xxx.xxx.xxx.xxx,"{""city"":""xxxxx"",""state"":""xxxxx"",""countryOrRegion"":""xx"",""geoCoordinates"":{""latitude"":xx.xxxxxx,""longitude"":xx.xxxxxx}}","{""authenticationStepDateTime"":""2025-01-15T09:07:49.0000000Z"",""authenticationMethod"":""Mobile app notification"",""succeeded"":false,""authenticationStepResultDetail"":""Authentication in progress"",""authenticationStepRequirement"":""Primary authentication"",""StatusSequence"":1736932069083,""RequestSequence"":1736932061906}"

Which of the AuthenticationDetails fields should I use to identify the Authenticator?

I did look into the sign-in logs in Entra admin center but could not find anything identifying the specific Authenticator instance.

For Authenticator events:

The "Basic info" tab lists a total of nine IDs in UUID format, but none of them looks as if it might refer to the Authenticator instance.

The "Device info" tab only mentions the Windows PC, nothing on the Authenticator device.

The "Authentication Details" tab shows:
Authentication method: Mobile app notification
Authentication method detail: (empty)
Succeded: true
Result detail: MFA successfully completed
Requirement: (empty)

The "Authentication Events" tab says: "No authentication events were triggered as part of the authentication."

The "Additional Details" tab says just: "Login hint present True".
Tilman Schmidt 120 Reputation points

2025-01-15T11:18:07.1333333+00:00

I used a bad sample from the query result.

Here's a better one:

CreatedDateTime,UserPrincipalName,AppDisplayName,ResultType,ResultDescription,IPAddress,LocationDetails,AuthenticationDetails

15 Jan 2025 11:36:05,******@xxx.de,Outlook Mobile,0,,xxx.xxx.xxx.xxx,"{""city"":""xxx"",""state"":""xxx"",""countryOrRegion"":""xx"",""geoCoordinates"":{""latitude"":xx.xxxxxxxxxxxxxxx,""longitude"":xx.xxxxxxxxxxxxxxx}}","{""authenticationStepDateTime"":""2025-01-15T10:36:05.0000000Z"",""authenticationMethod"":""Mobile app notification"",""succeeded"":true,""authenticationStepResultDetail"":""MFA successfully completed"",""authenticationStepRequirement"":""Primary authentication"",""StatusSequence"":1736937365352,""RequestSequence"":1736937340405}"

(I tried to edit it into my first comment but the forum threw an error when I clicked on "Edit".)
James Hamil 27,221 Reputation points Microsoft Employee Moderator

2025-01-15T22:31:29.64+00:00

Hi @Tilman Schmidt , it looks like your replies are deleted. Was this intentional?
Tilman Schmidt 120 Reputation points

2025-01-16T16:53:22.88+00:00

Sorry @James Hamil , I was robo-suspended by the forum system. No idea why. It seems to be fixed now and you should be able to see my replies again.

Thanks, Tilman
Tilman Schmidt 120 Reputation points

2025-01-27T07:48:47.6733333+00:00

Hi @James Hamil ,

were you able to see anything useful in the log entries I posted?

Thanks, Tilman
James Hamil 27,221 Reputation points Microsoft Employee Moderator

2025-01-28T00:28:33.8033333+00:00

Hi @Tilman Schmidt , sorry for the delay. I've been trying to get some more answers for you so I reached out to the product group. All signs unfortunately point to this not being possible at the moment, but I'm trying to find a solution. I'll let you know as soon as I can!

Best,

James
James Hamil 27,221 Reputation points Microsoft Employee Moderator

2025-02-04T23:36:25.2333333+00:00

Hi @Tilman Schmidt , I sent you a private message.

Answer 1

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

1 deleted comment

Comments have been turned off. Learn more

Answer 2

This is what I found out - corrections welcome:

The information is logged internally, but not directly accessible to us as a customer.
The Authentication methods tab of Microsoft Entra admin center User pages lists the user's registered Microsoft Authenticator instances but offers no way to get the time of last use of the listed instances. There is no way to distinguish between entries in the list that have the same Display name and Phone application version or to find out which of them refers to the instance presently installed on a specific phone or used in a specific authentication event.
The Sign-in log records whether Microsoft Authenticator was used for a sign-in but does not contain any information that references the specific Authenticator instance used.
Internally, Entra keeps a user attribute named "StrongAuthenticationPhoneAppDetail" which contains the list of Authentication methods but which much more detail than what it displays on the user page. Most notably, it contains an "Id" field and a field "LastAuthenticatedTimestamp" showing the last time this Authentication method was used.
There doesn't seem to be a direct way to query a user's "StrongAuthenticationPhoneAppDetail" attribute, but its current and previous value are disclosed through an Update user event in the Audit log each time the user actually uses one of the methods.

So my current solution is the KQL query:

AuditLogs
| where TimeGenerated > ago(90d)
| where OperationName == @"Update user"
| where parse_json(InitiatedBy)["app"]["displayName"] == "Azure MFA StrongAuthenticationService"
| extend TargetResources = parse_json(TargetResources)
| mv-expand TargetResources
| extend userPrincipalName = TargetResources["userPrincipalName"], modifiedProperties = TargetResources["modifiedProperties"]
| summarize arg_max(TimeGenerated, *) by tostring(userPrincipalName)
| mv-expand modifiedProperties
| where parse_json(modifiedProperties)["displayName"] == 'StrongAuthenticationPhoneAppDetail'
| extend newValue =  tostring(parse_json(modifiedProperties)["newValue"])
| mv-expand newValue = parse_json(newValue)
| extend DeviceName = parse_json(newValue)["DeviceName"], AppVersion = parse_json(newValue)["PhoneAppVersion"], LastAuthenticatedTimestamp = parse_json(newValue)["LastAuthenticatedTimestamp"]
| project TimeGenerated, UPN = tolower(userPrincipalName), DeviceName, AppVersion, LastUse = tostring(LastAuthenticatedTimestamp)
| order by UPN asc, LastUse desc

This gives me a partially outdated and incomplete list of Authenticators for each user with date of last use. The TimeGenerated column tells me how outdated each line is. It is missing those users who didn't do any MFA within the last 90 days.

For the Authenticators which haven't been used for a long time (say, more than a year) I then open the user's Authentication methods tab in the Entra admin center and try to identify it in the list. If I don't find it I assume it has been removed since the entry's TimeGenerated. If I find more than one entry with the same name and app version, I come back after a month or so, hoping that the instance in active use has received an update so that I can then distinguish it by its app version.

Hope it helps someone.

Share via

How to find out which of several authenticators was used in a sign-in?

2 answers

Your answer