ADFS - possibility to determine to which application user has logged in

Spenserq 1 Reputation point


In our environment we use ADFS for authentication to various applications and we would like to have report about how many users logged in through ADFS to specific application.

On basic logging level I was able to find only events 4624 and 4648 about that ADFS service account logon on User account.

On verbose logging level I can see events like 1200 or 1202 where we have information about user ID, but there is still no information to which application user login. There is also IP address, but in our case it is address of load balancer.

Is there any option to determine for which application user login through ADFS?

Thanks, for any help

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,030 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,091 Reputation points Microsoft Employee

    This is an example of the event 1200:

    The Federation Service issued a valid token. See XML for details. 
    Activity ID: 9d4acd9f-c9ee-495e-0e00-0080000000d5 
    Additional Data 
    XML: <?xml version="1.0" encoding="utf-16"?>
    <AuditBase xmlns:xsd="" xmlns:xsi="" xsi:type="AppTokenAudit">
        <Component xsi:type="ResourceAuditComponent">
          <ClaimsProvider>AD AUTHORITY</ClaimsProvider>
        <Component xsi:type="AuthNAuditComponent">
        <Component xsi:type="ProtocolAuditComponent">
        <Component xsi:type="RequestAuditComponent">
          <ForwardedIpAddress />
          <UserAgentString>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E)</UserAgentString>

    You an see there is a relying trust section "<RelyingParty>urn:microsoft:adfs:claimsxray</RelyingParty>". Don't you have it in your events?

    For the load balancer IP, it depends on your implementation. Do you use WAP servers? Are your load balancer doing NAT?

    0 comments No comments

  2. Spenserq 1 Reputation point

    Hello @Pierre Audonnet - MSFT ,

    Thanks for your quick answer.

    Yes we use WAP servers, but for question about doing NAT on load balancers I don't know answer.
    I quickly check logs and in <RelyingParty> I can find only 2 values:

    • urn:federation:MicrosoftOnline

    So unfortunately this is not what I'm looking for, because I can't determine if user authenticated to application ABC or DEF.
    Do you have any other idea how I could solve that problem?

    0 comments No comments

  3. Pierre Audonnet - MSFT 10,091 Reputation points Microsoft Employee


    are the identifiers of the relying parties. This is the information you are looking for (maybe not the format you want). You can see the identifiers from the ADFS admin console or in PowerShell in the output of Get-ADFSRelyingPartyTrust.

    0 comments No comments