question

dbird03 avatar image
0 Votes"
dbird03 asked dbird03 commented

Azure AD Sign-in logs do not show event for user logging in to Microsoft Azure app on iOS device when authenticating with the Microsoft Authenticator app

As the title says, we noticed today that logging in to the Microsoft Azure mobile app on an iPhone does NOT generate an event in the Azure AD Sign-in logs when the user is authenticating using the Microsoft Authenticator app. When authenticating, the user is redirected to the Microsoft Authenticator app where they select their username, then they are redirected back to the Microsoft Azure app without being prompted for a password or MFA code.

An event is only generated in the Azure AD Sign-in logs if we log in to the Microsoft Azure mobile app or https://portal.azure.com in Safari on an iPhone and authenticate by typing in our username and password and then provide the MFA one-time code.

Why is no event generated in the Sign-in logs in the first scenario when the user is authenticating with the Microsoft Authenticator app?

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JaiVerma-7010 avatar image
0 Votes"
JaiVerma-7010 answered

Is Passwordless sign in enabled in your environment? Azure AD Sign in logs only capture interactive sign ins

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

dbird03 avatar image
0 Votes"
dbird03 answered

@JaiVerma-7010 Thanks for the quick reply. I'm not familiar with passwordless sign-in with Azure. We use the Microsoft Authenticator app for MFA to in our Conditional Access policies to restrict access to some of our other applications like Power BI. Is it possible to see the logs for passwordless sign-ins?


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ManuPhilip avatar image
0 Votes"
ManuPhilip answered

Hello @dbird03,

It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log record to be returned in the results of an audit log search. Please clarify if this is the case


Please mark as "Accept the answer" if the above steps helps you. Others with similar issues can also follow the solution as per your suggestion

Regards,

Manu

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

dbird03 avatar image
0 Votes"
dbird03 answered dbird03 commented

@ManuPhilip Where can I find the audit logs you are referencing?

I just checked our Azure tenant and have confirmed the "Microsoft Authenticator passwordless sign-in" method is not enabled (Azure Active Directory > Security > Authentication Methods).

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Go to https://protection.office.com. Sign in using your work or school account. In the left pane of the Security & Compliance Center, click Search, and then click Audit log search.

The Audit log search page is displayed.

Regards,
Manu

0 Votes 0 ·

Thank you. I searched the audit log but didn't see anything. I know you said the event can take up to 24 hours to show up, but I don't see any indication that the audit log shows passwordless sign-in events. When I clicked the Activities drop down filter, I don't see anything related to passwordless sign-in or Microsoft Authenticator. Do you know what the activity would be called?

0 Votes 0 ·

Hi,

Please check the following way of MFA auditing also
1. Sign in to the Azure portal using an account with global administrator permissions.
2. Search for and select Azure Active Directory, then choose Users from the menu on the left-hand side.
3. Under Activity from the menu on the left-hand side, select Sign-ins.
4. A list of sign-in events is shown, including the status. You can select an event to view more details.



The Authentication Details or Conditional Access tab of the event details shows you the status code or which policy triggered the MFA prompt.

Check the codes corresponding to user activity from the table here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-reporting#downloaded-activity-reports-result-codes

Thanks,
Manu




0 Votes 0 ·
Show more comments