This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 94%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hello,
In our environment we use ADFS for authentication to various applications and we would like to have report about how many users logged in through ADFS to specific application.
On basic logging level I was able to find only events 4624 and 4648 about that ADFS service account logon on User account.
On verbose logging level I can see events like 1200 or 1202 where we have information about user ID, but there is still no information to which application user login. There is also IP address, but in our case it is address of load balancer.
Is there any option to determine for which application user login through ADFS?
Thanks, for any help
This is an example of the event 1200:
The Federation Service issued a valid token. See XML for details.
Activity ID: 9d4acd9f-c9ee-495e-0e00-0080000000d5
Additional Data
XML: <?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit">
<AuditType>AppToken</AuditType>
<AuditResult>Success</AuditResult>
<FailureType>None</FailureType>
<ErrorCode>N/A</ErrorCode>
<ContextComponents>
<Component xsi:type="ResourceAuditComponent">
<RelyingParty>urn:microsoft:adfs:claimsxray</RelyingParty>
<ClaimsProvider>AD AUTHORITY</ClaimsProvider>
<UserId>V\piaudonnmsdn</UserId>
</Component>
<Component xsi:type="AuthNAuditComponent">
<PrimaryAuth>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</PrimaryAuth>
<DeviceAuth>false</DeviceAuth>
<DeviceId>N/A</DeviceId>
<MfaPerformed>false</MfaPerformed>
<MfaMethod>N/A</MfaMethod>
<TokenBindingProvidedId>true</TokenBindingProvidedId>
<TokenBindingReferredId>false</TokenBindingReferredId>
<SsoBindingValidationLevel>TokenBoundAndValid</SsoBindingValidationLevel>
</Component>
<Component xsi:type="ProtocolAuditComponent">
<OAuthClientId>N/A</OAuthClientId>
<OAuthGrant>N/A</OAuthGrant>
</Component>
<Component xsi:type="RequestAuditComponent">
<Server>http://sts.verenatex.com/adfs/services/trust</Server>
<AuthProtocol>WSFederation</AuthProtocol>
<NetworkLocation>Intranet</NetworkLocation>
<IpAddress>10.0.1.8</IpAddress>
<ForwardedIpAddress />
<ProxyIpAddress>N/A</ProxyIpAddress>
<NetworkIpAddress>N/A</NetworkIpAddress>
<ProxyServer>N/A</ProxyServer>
<UserAgentString>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E)</UserAgentString>
<Endpoint>/adfs/ls</Endpoint>
</Component>
</ContextComponents>
</AuditBase>
You an see there is a relying trust section "<RelyingParty>urn:microsoft:adfs:claimsxray</RelyingParty>". Don't you have it in your events?
For the load balancer IP, it depends on your implementation. Do you use WAP servers? Are your load balancer doing NAT?
Hello @Pierre Audonnet - MSFT ,
Thanks for your quick answer.
Yes we use WAP servers, but for question about doing NAT on load balancers I don't know answer.
I quickly check logs and in <RelyingParty> I can find only 2 values:
So unfortunately this is not what I'm looking for, because I can't determine if user authenticated to application ABC or DEF.
Do you have any other idea how I could solve that problem?
urn:federation:MicrosoftOnline
microsoft:identityserver:XXXX.coupahost.com
are the identifiers of the relying parties. This is the information you are looking for (maybe not the format you want). You can see the identifiers from the ADFS admin console or in PowerShell in the output of Get-ADFSRelyingPartyTrust.