How to be notified if a user is signing in without MFA

Sean Gurdon 1 Reputation point
2022-08-26T13:06:10.76+00:00

Is there away for me to get notified within Office365, when a user signs in without using MFA. It doesn't matter if the user is signing into their email, or through the login portal at office365.com. I want to be notified if the users is using MFA or not.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,255 questions
{count} votes

2 answers

Sort by: Most helpful
  1. JamesTran-MSFT 36,811 Reputation points Microsoft Employee
    2022-09-07T21:30:02.62+00:00

    @Sean Gurdon
    Thank you for your post and I apologize for the delayed response!

    By leveraging Azure Monitor, you should be able to Integrate with Azure AD to route your logs and events to a Log Analytics workspace. From the Log Analytics workspace, you can set up alerting to receive notifications when an Azure AD user signs in without MFA.

    238310-image.png

    From the Log Analytics workspace that you selected when setting up the integration:

    • Select Alerts
    • Create Alert Rule
    • Search for and select Custom log search

    238841-image.png

    Using the below script, you can filter for "singleFactorAuthentication" events in order to receive alerts when someone logs in without MFA. Additionally, you can add an extra where clause to filter for the AppDisplayName containing Office365 (i.e. Office365 Shell WCSS-Client).

    // Highlights sign ins with singleFactorAuthentication   
    SigninLogs  
    | where AuthenticationRequirement == "singleFactorAuthentication"  
    //| where AppDisplayName contains "Office365"  
    | project UserDisplayName, UserPrincipalName, AuthenticationDetails, AuthenticationRequirement, ConditionalAccessStatus, AppDisplayName  
    

    238700-image.png

    As you walk through setting up the Alert, you can Create an Action Group where you'll be able to Configure notifications and select the type of notification that you want to be sent (Email, SMS, Push, Voice).
    238287-image.png

    Additional Links:
    Create a new alert rule
    Analyze Azure AD activity logs with Azure Monitor logs
    Troubleshooting problems in Azure Monitor alerts

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


  2. Mark Siguenza 20 Reputation points
    2023-07-31T02:18:15.6566667+00:00

    Hi All,

    Similar question:

    As you know, we change the display name of offboarded users to have a prefix of “zzz”. Eg.  zzz John Smith Users with this name prefix should not normally log on to O365 or Azure Services.

    Is it possible to set up an email Alert to my WMM mailbox and to our IT Mailbox to indicate when an account with this prefix successfully authenticates?

    We'd like to have it as an extra “soft” measure against unexpected logon activity.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.