Share via

Where to find user's authentication type and registered MFA method in Office 365 logs

Mladen Ivanov 0 Reputation points
2024-04-09T17:54:22.79+00:00

Hi there,

We are sending all Office 365/Azure logs to our SIEM platform, and we would like to visualise the authentication type (single factor/multifactor) and registered MFA method (phone, email, authenticator app, etc) for each user. I am aware that this information can be seen on Microsoft Entra admin center, but we would like to see it in our SIEM for all users and all tenancies we manage. However, we cannot find where this information is located on the logs we receive from Office 365.

I will appreciate if someone explain where can we find the information in the logs, and if not part of the logs, where else can we find it?

I am also attaching screenshots of the details we like to see in the logs.

Regards

M.Entra Authentication Type

Registered MFA Methods

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
3,977 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,883 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Carlos Solís Salazar 17,021 Reputation points MVP
    2024-04-15T12:52:45.59+00:00

    Hi there,

    It is relevant what the SIEM that you are using is because it will depend on your SIEM whether it can meet your requirements or not.

    According to the same documentation you shared, it looks like these logs are out of the scope of your SIEM.

    Hope this helps.

    If the answer helped you, please accept it.

    1 person found this answer helpful.