Use the sign-ins report to review Azure AD Multi-Factor Authentication events

To review and understand Azure AD Multi-Factor Authentication events, you can use the Azure Active Directory (Azure AD) sign-ins report. This report shows authentication details for events when a user is prompted for multi-factor authentication, and if any Conditional Access policies were in use. For detailed information on the sign-ins report, see the overview of sign-in activity reports in Azure AD.

This article shows you how to view the Azure AD sign-ins report in the Azure portal, and then the MSOnline V1 PowerShell module.

View the Azure AD sign-ins report

The sign-ins report provides you with information about the usage of managed applications and user sign-in activities, which includes information about multi-factor authentication (MFA) usage. The MFA data gives you insights into how MFA is working in your organization. It lets you answer questions like the following:

  • Was the sign-in challenged with MFA?
  • How did the user complete MFA?
  • Which authentication methods were used during a sign-in?
  • Why was the user unable to complete MFA?
  • How many users are challenged for MFA?
  • How many users are unable to complete the MFA challenge?
  • What are the common MFA issues end users are running into?

To view the sign-in activity report in the Azure portal, complete the following steps. You can also query data using the reporting API.

  1. Sign in to the Azure portal using an account with global administrator permissions.

  2. Search for and select Azure Active Directory, then choose Users from the menu on the left-hand side.

  3. Under Activity from the menu on the left-hand side, select Sign-ins.

  4. A list of sign-in events is shown, including the status. You can select an event to view more details.

    The Authentication Details or Conditional Access tab of the event details shows you the status code or which policy triggered the MFA prompt.

    Screenshot of example Azure Active Directory sign-ins report in the Azure portal

If available, the authentication is shown, such as text message, Microsoft Authenticator app notification, or phone call.

The Authentication Details tab provides the following information, for each authentication attempt:

  • A list of authentication policies applied (such as Conditional Access, per-user MFA, Security Defaults)
  • The sequence of authentication methods used to sign-in
  • Whether or not the authentication attempt was successful
  • Detail about why the authentication attempt succeeded or failed

This information allows admins to troubleshoot each step in a user’s sign-in, and track:

  • Volume of sign-ins protected by multi-factor authentication
  • Usage and success rates for each authentication method
  • Usage of passwordless authentication methods (such as Passwordless Phone Sign-in, FIDO2, and Windows Hello for Business)
  • How frequently authentication requirements are satisfied by token claims (where users are not interactively prompted to enter a password, enter an SMS OTP, and so on)

While viewing the sign-ins report, select the Authentication Details tab:

Screenshot of the Authentication Details tab

Note

OATH verification code is logged as the authentication method for both OATH hardware and software tokens (such as the Microsoft Authenticator app).

Important

The Authentication details tab can initially show incomplete or inaccurate data, until log information is fully aggregated. Known examples include:

  • A satisfied by claim in the token message is incorrectly displayed when sign-in events are initially logged.
  • The Primary authentication row is not initially logged.

The following details are shown on the Authentication Details window for a sign-in event that show if the MFA request was satisfied or denied:

  • If MFA was satisfied, this column provides more information about how MFA was satisfied.

    • completed in the cloud
    • has expired due to the policies configured on tenant
    • registration prompted
    • satisfied by claim in the token
    • satisfied by claim provided by external provider
    • satisfied by strong authentication
    • skipped as flow exercised was Windows broker logon flow
    • skipped due to app password
    • skipped due to location
    • skipped due to registered device
    • skipped due to remembered device
    • successfully completed
  • If MFA was denied, this column would provide the reason for denial.

    • authentication in-progress
    • duplicate authentication attempt
    • entered incorrect code too many times
    • invalid authentication
    • invalid mobile app verification code
    • misconfiguration
    • phone call went to voicemail
    • phone number has an invalid format
    • service error
    • unable to reach the user's phone
    • unable to send the mobile app notification to the device
    • unable to send the mobile app notification
    • user declined the authentication
    • user did not respond to mobile app notification
    • user does not have any verification methods registered
    • user entered incorrect code
    • user entered incorrect PIN
    • user hung up the phone call without succeeding the authentication
    • user is blocked
    • user never entered the verification code
    • user not found
    • verification code already used once

PowerShell reporting on users registered for MFA

First, ensure that you have the MSOnline V1 PowerShell module installed.

Identify users who have registered for MFA using the PowerShell that follows. This set of commands excludes disabled users since these accounts cannot authenticate against Azure AD:

Get-MsolUser -All | Where-Object {$_.StrongAuthenticationMethods -ne $null -and $_.BlockCredential -eq $False} | Select-Object -Property UserPrincipalName

Identify users who have not registered for MFA using the PowerShell that follows. This set of commands excludes disabled users since these accounts cannot authenticate against Azure AD:

Get-MsolUser -All | Where-Object {$_.StrongAuthenticationMethods.Count -eq 0 -and $_.BlockCredential -eq $False} | Select-Object -Property UserPrincipalName

Identify users and output methods registered:

Get-MsolUser -All | Select-Object @{N='UserPrincipalName';E={$_.UserPrincipalName}},@{N='MFA Status';E={if ($_.StrongAuthenticationRequirements.State){$_.StrongAuthenticationRequirements.State} else {"Disabled"}}},@{N='MFA Methods';E={$_.StrongAuthenticationMethods.methodtype}} | Export-Csv -Path c:\MFA_Report.csv -NoTypeInformation

Additional MFA reports

The following additional information and reports are available for MFA events, including those for MFA Server:

Report Location Description
Blocked User History Azure AD > Security > MFA > Block/unblock users Shows the history of requests to block or unblock users.
Usage for on-premises components Azure AD > Security > MFA > Activity Report Provides information on overall usage for MFA Server through the NPS extension, ADFS, and MFA Server.
Bypassed User History Azure AD > Security > MFA > One-time bypass Provides a history of MFA Server requests to bypass MFA for a user.
Server status Azure AD > Security > MFA > Server status Displays the status of MFA Servers associated with your account.

Next steps

This article provided an overview of the sign-ins activity report. For more detailed information on what this report contains, see sign-in activity reports in Azure AD.