This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 50%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELG%3C/text%3E%3C/svg%3E)
Thanks in advance
I need to audit user logon and logs offs on our applications that use ADFS for federation, but I cannot seems to find any information on how to manage this. here is what I need to do, if a user logs on to one of our applications federated through ADFS we need to log the username, application and time. the application can just point to the trust assigned to the application we can correlate it from there.
if someone know of a good resource on how to accomplish this it would greatly be appreciated.
Did you manage to enable the audit?
The audit configuration depends of the version of your ADFS farm.
This is a good starting point: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 0%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBH%3C/text%3E%3C/svg%3E)
I also had this question.
My result is a CSV file with all the logon and sign-out activity (and other useful stuff).
In Eventlog you can rightclick on an event and set "Attach Task to this event". This creates a special scheduled task that will only be triggered when that specific event occurs. In that scheduled task, I start a VBS script that looks for the first event in the Eventlog for that event number. And the result I write in a log file.
The following events are useful on ADFS : 1200,1201,1203,1206,1210
The structure of the event (XML) is for the above events all the same, so the script can be used for all 12xx events. So I make use of an argument (which is the number of the event) in the scheduled task that is consumed by my VBS script.
Its very usefull, because I also send an email for some major problems, or when an account is locked by ADFS with Smartlock.
On the WAP server I did the same but for other events: 14027,14032,13015,12025,13046,245,396,224
I shared my VBS code in this post.37716-readeventlogsvbs.txt
I took the part of my ADFS documentation (about logging) and attached it to this post. PS.: The VBS script is not finished yet completely. For example, in the script you'll find the log file name and location. You must create an empty log file first with the correct name D:\logging\logs\secruitylog.csv37791-logging-and-alerting.pdf
The scheduled task must run with a user that has specific rights. If you want, I can give you more specifications about that too.37781-readeventlogsvbs.txt
Interesting. But this assumes that the audit is configured already. Thanks for sharing.
Well, I saw and read your link, but you don't need to enable so much logging to know who logged on and on which application.
Verbose logging is not necessary and Analytic & Debug logging must be configured only in case of a problem investigation.
You don't need to enable everything. The article doesn't suggest to enable everything. If you need security auditing, then just follow the Security Auditing part.
Note that if you have Azure AD Connect, you can install the Azure AD Connect Health agent to monitor ADFS: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-adfs. Even if you don't use ADFS for Azure AD, you can use it as a monitoring tool anyways. And you'll get statistics on number of logon per relying party trust as well as some analytics for account lockouts.
Thank you for that information. I'll take a look at it too!