question

Madi-2475 avatar image
0 Votes"
Madi-2475 asked JamesHamil-MSFT commented

Filter on/Export MFA Fraud Reports

Hello,

I see a similar, past question about this here, but was wondering if anything has changed since 2018. I have email notifications setup now, but am wanting to view past MFA fraud reports.

Is there a way to filter Azure AD sign-ins that have the Authentication Details - Result Detail - "MFA denied; Phone App Reported Fraud" or export a list of sign-ins that have the report fraud included? I would like to end up with a list of only MFA prompts that have been reported as fraud, rather than going through each sign-in and clicking over to the Authentication Details.

If there isn't a native way to filter/export this information, does anyone have any workaround recommendations?
I have tried exporting a user's sign-in logs from Azure AD as a CSV and that does not contain the Report Fraud information.

Here is the information I've found on MFA fraud alerts.

Thank you!


azure-active-directoryazure-ad-multi-factor-authentication
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Madi-2475
Thank you for the detailed post and the links you provided. It looks like you found the MFA Fraud alert section which walks you through how to view fraud reports within the Authentication details, primarily on a per user basis. Have you tried following the PowerShell reporting for users registered for MFA? The .csv should contain activity reports with the specific "FAILED_FRAUD_REPORTED" result code. There are also some additional MFA reports relating to specific MFA events.

I hope this helps.
Thank you for your time!


0 Votes 0 ·

@JamesTran-MSFT Thanks for the response! I looked over the PowerShell reporting for users registered for MFA and it doesn't look like that can export user activity reports in the .csv. It looks like I would have to use the Azure Active Directory reporting API?

I'd prefer to user the MSOnline Powershell Module to retrieve user activity reports that include result codes, but it doesn't look like that is possible.


0 Votes 0 ·

Hi, are there any updates with this case? If not, please select the appropriate response as "Answered." Otherwise please let us know how we can assist you.

0 Votes 0 ·

1 Answer

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered

@Madi-2475
Looking through Azure AD PowerShell cmdlets for reporting, I did find a section on getting sign-in logs through PS. However, it does look you'll have to use the Azure Active Directory reporting API.

Since the feature you're looking for isn't available yet, you can definitely provide feedback/request for this feature to be implemented.

Please let me know if you have any other questions.
Thank you for your time and patience.

MSOnline Modules

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.