Query Details

Identity Third Party MFA Failures

Query

//Retrieve sign in failures due to third party MFA (Okta/Duo etc). Azure AD handles third party MFA different to native MS MFA. A user is sent to the third party MFA service and generates code 50158.
//If successful the user then generates a success code 0. When third party MFA fails Azure AD logs the 50158 result code but no corresponding 0 result code.

//Data connector required for this query - Azure Active Directory - Signin Logs

//Microsoft Sentinel query
SigninLogs
//Create a list of all result codes within a single sign in to Azure AD
| summarize MFA=make_list(ResultType) by CorrelationId
//Find correlation ids where the user was sent to third party MFA (ResultType 50158) but there is no subsequent success (ResultType 0)
| where MFA has "50158" and MFA !has "0"
//Join back to SigninLogs table to find the sign in details
| join kind=inner (SigninLogs) on CorrelationId
| project
    TimeGenerated,
    UserPrincipalName,
    UserType,
    AppDisplayName,
    IPAddress,
    Location,
    UserAgent,
    ResultType

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting with Azure AD P2 License

AADSignInEventsBeta
//Create a list of all result codes within a single sign in to Azure AD
| summarize MFA=make_list(ErrorCode) by CorrelationId
//Find correlation ids where the user was sent to third party MFA (ResultType 50158) but there is no subsequent success (ResultType 0)
| where MFA has "50158" and MFA !has "0"
//Join back to SigninLogs table to find the sign in details
| join kind=inner (AADSignInEventsBeta) on CorrelationId
| project
    Timestamp,
    AccountUpn,
    IsGuestUser,
    Application,
    IPAddress,
    Country,
    UserAgent,
    ErrorCode

Explanation

This query is designed to identify sign-in failures related to third-party Multi-Factor Authentication (MFA) services like Okta or Duo in Azure Active Directory (Azure AD). Here's a simple breakdown of what the query does:

  1. Data Source: It uses sign-in logs from Azure Active Directory, specifically focusing on events where third-party MFA is involved.

  2. MFA Result Codes: When a user attempts to sign in using third-party MFA, Azure AD logs a specific result code, 50158, indicating the user was sent to the third-party MFA service. A successful authentication would also log a result code 0.

  3. Identifying Failures: The query looks for instances where the 50158 code is present, but there is no corresponding 0 code. This indicates that the third-party MFA process failed, as the success code 0 was never logged.

  4. Data Retrieval: It retrieves detailed information about these failed sign-in attempts, including the time of the attempt, user details, application accessed, IP address, location, and user agent.

  5. Two Versions: The query is written in two versions:

    • Microsoft Sentinel Query: Uses the SigninLogs table.
    • Advanced Hunting Query: Uses the AADSignInEventsBeta table, which requires an Azure AD P2 License.

In summary, this query helps identify and analyze failed sign-in attempts due to third-party MFA issues by checking for specific result codes in Azure AD logs.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SigninLogsAADSignInEventsBeta

Keywords

SigninLogsAzureActiveDirectoryUserApplicationIPAddressLocationUserAgentErrorCode

Operators

SigninLogssummarizemake_listbywherehas!hasjoinkind=inneronprojectAADSignInEventsBeta.

Actions

GitHub