@Sean Gurdon
Thank you for your post and I apologize for the delayed response!
By leveraging Azure Monitor, you should be able to Integrate with Azure AD to route your logs and events to a Log Analytics workspace. From the Log Analytics workspace, you can set up alerting to receive notifications when an Azure AD user signs in without MFA.
From the Log Analytics workspace that you selected when setting up the integration:
- Select Alerts
- Create Alert Rule
- Search for and select Custom log search
Using the below script, you can filter for "singleFactorAuthentication" events in order to receive alerts when someone logs in without MFA. Additionally, you can add an extra where clause to filter for the AppDisplayName containing Office365
(i.e. Office365 Shell WCSS-Client).
// Highlights sign ins with singleFactorAuthentication
SigninLogs
| where AuthenticationRequirement == "singleFactorAuthentication"
//| where AppDisplayName contains "Office365"
| project UserDisplayName, UserPrincipalName, AuthenticationDetails, AuthenticationRequirement, ConditionalAccessStatus, AppDisplayName
As you walk through setting up the Alert, you can Create an Action Group where you'll be able to Configure notifications and select the type of notification that you want to be sent (Email, SMS, Push, Voice).
Additional Links:
Create a new alert rule
Analyze Azure AD activity logs with Azure Monitor logs
Troubleshooting problems in Azure Monitor alerts
I hope this helps!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.