Identity Third Party MFA Failures
Query
//Retrieve sign in failures due to third party MFA (Okta/Duo etc). Azure AD handles third party MFA different to native MS MFA. A user is sent to the third party MFA service and generates code 50158.
//If successful the user then generates a success code 0. When third party MFA fails Azure AD logs the 50158 result code but no corresponding 0 result code.
//Data connector required for this query - Azure Active Directory - Signin Logs
//Microsoft Sentinel query
SigninLogs
//Create a list of all result codes within a single sign in to Azure AD
| summarize MFA=make_list(ResultType) by CorrelationId
//Find correlation ids where the user was sent to third party MFA (ResultType 50158) but there is no subsequent success (ResultType 0)
| where MFA has "50158" and MFA !has "0"
//Join back to SigninLogs table to find the sign in details
| join kind=inner (SigninLogs) on CorrelationId
| project
TimeGenerated,
UserPrincipalName,
UserType,
AppDisplayName,
IPAddress,
Location,
UserAgent,
ResultType
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting with Azure AD P2 License
AADSignInEventsBeta
//Create a list of all result codes within a single sign in to Azure AD
| summarize MFA=make_list(ErrorCode) by CorrelationId
//Find correlation ids where the user was sent to third party MFA (ResultType 50158) but there is no subsequent success (ResultType 0)
| where MFA has "50158" and MFA !has "0"
//Join back to SigninLogs table to find the sign in details
| join kind=inner (AADSignInEventsBeta) on CorrelationId
| project
Timestamp,
AccountUpn,
IsGuestUser,
Application,
IPAddress,
Country,
UserAgent,
ErrorCodeExplanation
This query is designed to identify sign-in failures related to third-party Multi-Factor Authentication (MFA) services like Okta or Duo in Azure Active Directory (Azure AD). Here's a simple breakdown of what the query does:
-
Data Source: It uses sign-in logs from Azure Active Directory, specifically focusing on events where third-party MFA is involved.
-
MFA Result Codes: When a user attempts to sign in using third-party MFA, Azure AD logs a specific result code,
50158, indicating the user was sent to the third-party MFA service. A successful authentication would also log a result code0. -
Identifying Failures: The query looks for instances where the
50158code is present, but there is no corresponding0code. This indicates that the third-party MFA process failed, as the success code0was never logged. -
Data Retrieval: It retrieves detailed information about these failed sign-in attempts, including the time of the attempt, user details, application accessed, IP address, location, and user agent.
-
Two Versions: The query is written in two versions:
- Microsoft Sentinel Query: Uses the
SigninLogstable. - Advanced Hunting Query: Uses the
AADSignInEventsBetatable, which requires an Azure AD P2 License.
- Microsoft Sentinel Query: Uses the
In summary, this query helps identify and analyze failed sign-in attempts due to third-party MFA issues by checking for specific result codes in Azure AD logs.
Details

Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators