Monitoring Azure Active Directory (Azure AD) Multi-Factor Authentication (MFA) activity is a critical part of maintaining and administering a secure environment. Tracking these operations allows you to validate the legitimacy of login attempts and quickly respond to any suspicious cases.
Azure AD provides comprehensive reports about user sign-ins, including logins that involve MFA. These reports can be accessed through the Azure portal.
1. Accessing MFA Activity Reports
MFA activity can be accessed through the Azure Active Directory portal. Navigate to the “Azure Active Directory” > “Sign-ins” section and therein, you can filter the activity results for MFA details. Viewing the MFA related data gives insights about user locations, sign-in devices, reasons for MFA requests, and more.
2. Understanding Sign-in Activity Reports
The sign-ins report provides a wealth of information about every sign-in attempt in your tenant. This information includes the date and time of the sign-in, the user’s IP address, the location from which the sign-in was initiated, the application that the user tried to access, the status of the sign-in attempt, and more.
The report also contains detailed MFA information. Some of the fields in the MFA details include:
- MFA Required: This shows if the user was prompted for MFA.
- MFA Result: This presents the result of the MFA prompt. The possible results are ‘success’, ‘failure’, ‘denied’, or ‘fraud’.
- MFA Auth Method: This shows the method used for MFA (for example, phone call, text message, or mobile app notification)
- Reason for MFA: This indicates the policy that triggered the MFA prompt.
Beside each record, there is an option to view additional details and perform further analysis.
3. Using Microsoft Cloud App Security (MCAS)
If you have a subscription that includes Microsoft Cloud App Security (MCAS), you can get additional insights into your organization’s MFA activity. MCAS offers advanced anomaly detection policies that can help identify potentially suspicious MFA activity. These policies can notify you of situations such as impossible travel activity, unusual multigeography activity, and detection of infected devices, among others. MCAS also allows you to build custom queries and alerts.
4. Automating Alerts with Azure Monitor
If you want to automate tracking for MFA operations, you can use Azure Monitor. Azure Monitor is a service in Azure that collects and analyzes data from various sources. By creating an Azure Monitor alert, you can be notified when specific events occur. For example, you can create an alert for when a user fails to authenticate through MFA three times in a row, indicating possible suspicious activity.
Monitoring Azure AD MFA activity plays a significant role in maintaining a robust and secure digital environment. Through the various features and tools that Azure AD offers, you can stay on top of your organization’s MFA activity and mitigate potential security risks promptly.
Practice Test
True or False: Azure AD MFA is a method to validate the identity of each user.
- True
- False
Answer: True
Explanation: Azure AD MFA is an additional layer of security provided by Microsoft that requires users to verify their identity through two or more methods.
True or False: Azure AD MFA only supports two methods of authentication.
- True
- False
Answer: False
Explanation: Azure AD MFA supports multiple verification methods, such as phone call, text message, mobile app notification, mobile app code, and hardware token.
What kinds of information can be found in the Azure AD MFA activity reports?
- A. User login activity
- B. User verification history
- C. Account lockouts
- D. Device registration details
Answer: A, B, C
Explanation: Azure AD MFA activity reports lookup user sign-in activity, user verification history and account lockout status.
Azure AD MFA activity can be monitored by a non-administrative user. True or False?
- True
- False
Answer: False
Explanation: Only Azure Active Directory administrators can monitor Azure AD MFA activity in the portal.
Azure AD MFA sign-in activity can be monitored real-time. True or False?
- True
- False
Answer: True
Explanation: Azure provides near real-time sign-in activity for MFA, providing visibility into potential or ongoing security incidents.
Which is not a verification method supported by Azure AD MFA?
- A. Mobile app notification
- B. Text message
- C. Email
- D. Phone call
Answer: C. Email
Explanation: The supported verification methods in Azure AD MFA are Phone call, Text message, Mobile app notification or verification code. Email is not supported.
Azure AD MFA does not help to meet compliance requirements. True or False?
- True
- False
Answer: False
Explanation: Azure AD MFA helps meet organizational compliance requirements by providing an extra layer of security.
Azure AD MFA activity reports can be exported directly to Excel. True or False?
- True
- False
Answer: True
Explanation: Azure provides the functionality to export Azure MFA activity reports directly to Excel for detailed analysis and record keeping.
True or False: Azure AD MFA cannot block access from unfamiliar locations
- True
- False
Answer: False
Explanation: Azure AD MFA, in collaboration with Conditional Access, can enforce MFA on sign in attempts from unfamiliar locations.
What does Azure AD MFA stand for?
- A. Azure Dedicated Disk Multi-Factor Authentication
- B. Azure Directory Disk Multi-Factor Authorization
- C. Azure Active Directory Multi-Factor Authentication
- D. Azure Active Disk Multi-File Authorization
Answer: C. Azure Active Directory Multi-Factor Authentication
Explanation: MFA stands for Multi-Factor Authentication and Azure AD stands for Azure Active Directory, thus, Azure AD MFA stands for Azure Active Directory Multi-Factor Authentication.
True or False: Azure AD MFA activity reports provide only recent data.
- True
- False
Answer: True
Explanation: MFA activity reports provide the most recent data and only for a limited period of time, usually 30 days.
Which of the following can be used for Azure AD MFA enforcement?
- A. Compliance policy
- B. Conditional access policy
- C. Security policy
- D. Device management policy
Answer: B. Conditional access policy
Explanation: Conditional access policy is used to enforce MFA in Azure AD, based on the conditions specified in the policy.
True or False: Azure AD MFA doesn’t support fallback options
- True
- False
Answer: False
Explanation: Azure AD MFA does support fallback options. If the primary method fails or is unavailable, the user can revert to another method specified in their MFA settings.
True or False: Azure AD MFA can help protect applications that use modern authentication.
- True
- False
Answer: True
Explanation: Azure AD MFA can protect both cloud-based and on-premises applications that use modern authentication methods, increasing the security of these applications.
True or False: It is necessary to check the MFA activity regularly to notice any unusual patterns that could indicate a security risk.
- True
- False
Answer: True
Explanation: Regularly checking MFA activity can help identify unusual activities or patterns that might suggest security risks or breaches.
Interview Questions
What is Azure AD MFA?
Azure AD Multi-Factor Authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions.
How is Azure AD MFA activity monitored?
Azure AD MFA activity can be monitored using Azure AD reports and monitoring. This includes sign-ins report to see who performed the sign-ins, MFA usage report to see which user has registered for MFA, and risky sign-ins report to see sign-ins flagged by Azure as risky.
What types of reports are available for MFA in Azure AD?
Three types of reports are available for MFA in Azure AD: User MFA status, detailed MFA usage, and Fraud alert.
Where can you view Azure AD MFA activity?
Azure AD MFA activity can be viewed in Azure dashboard under the Azure Active Directory section and then under Sign-ins.
Can you configure notifications for MFA activity in Azure AD?
Yes, you can configure notifications for MFA activity in Azure AD. Azure Monitor allows notifications to be sent when certain criteria are met.
How can you view the MFA settings for a specific user?
You can view the MFA settings for a specific user through the Azure portal by navigating to Azure Active Directory, then to Users, selecting the user and under the Manage section, selecting Authentication methods.
What is the MFA Server in Azure AD?
Azure MFA Server is a self-hosted multi-factor authentication solution used with the Azure AD service that provides additional security for your infrastructure.
What are the risk detection types that can be used with Azure AD for monitoring?
The risk detection types that can be used with Azure AD for monitoring include user risk and sign-in risk.
What happens when a risk event is detected in Azure AD?
When a risk event is detected in Azure AD, an administrator will receive an alert. The alert can be configured with Azure Monitor to take automatic actions, including blocking the account or forcing a password reset.
Is it possible to export Azure AD sign-in logs for monitoring?
Yes, Azure AD sign-in logs can be exported for monitoring. They can be exported to event hubs and log analytics workspaces for accessing and analyzing the data.
Can the Azure Active Directory MFA reports be viewed in real-time?
Yes, Azure AD MFA reports in the Azure portal are available in near-real-time, meaning they’re updated to reflect recent activities.
Can the Azure AD MFA report provide details of a user’s secondary authentication methods?
Yes, Azure AD MFA reports include the details of each user’s secondary authentication methods in the MFA User Details report.
What is the purpose of the MFA fraud alert feature in Azure AD?
The MFA fraud alert feature in Azure allows users to report fraudulent attempts at accessing their accounts. This can enhance an organization’s security by identifying and taking action on fraudulent login attempts.
How long does Azure retain MFA data for analysis?
Azure retains MFA data for a period of 30 days for analysis.
Can Azure MFA usage report show which users have been registered for MFA?
Yes, the Azure MFA usage report shows which users have been registered for MFA, how they are accessing it, and when they accessed it.