How to find out which of several authenticators was used in a sign-in?
We are using MFA with Microsoft Authenticator for user sign-ins to our tenant. Many of our users have registered more than one Microsoft Authenticator instance. Sometimes this is deliberate, in order to have a backup in case the primary smartphone is unavailable. (Which is explicitly allowed.) Sometimes it is by negligence when a smartphone is replaced, the user registers the new one but does not remove the old one. And sometimes it is through malicious intent when an AitM attacker succeeds in registering her own MS Authenticator instance via a phishing attack.
In order to get a grip on that, I would like to create a report showing which of these MS Authenticator instances are actually used for signing in, and from which location. I started with a Sentinel KQL query like this:
SigninLogs
| extend AuthenticationDetails = parse_json(AuthenticationDetails)
| mv-expand AuthenticationDetails
| where parse_json(AuthenticationDetails)["authenticationMethod"] == 'Mobile app notification'
| project CreatedDateTime, UserPrincipalName, AppDisplayName, ResultType, ResultDescription, IPAddress, LocationDetails
This gives me all sign-in events where an MS Authenticator was used, showing the time, user, application accessed, and location from which the access was performed, but lacks the information which specific instance of MS Authenticator was used. Where is that information logged and how can I retrieve it in Sentinel?
1 answer
Sort by: Most helpful
-
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
1 deleted comment
Comments have been turned off. Learn more