Is there a way through Log Analytics to match a MFA fraud report to the sign in that prompted it?
Is there a way through Log Analytics to match a MFA fraud report to the sign in that prompted it?
@nogas I wanted to follow up and know if the below responses helped in answering your query. If it did, please do not forget to accept the appropriate response as Answer.
@nogas Thanks for reaching out.
All the Fraud MFA reporting comes under Authentication Details under Sign in logs. Sign logs table in Log explorer can help you find more.
I do not have the date set in my tenant.
But I will start from the SignIN logs table to find more :

You can filter further for Fraud reporting Keywords mentioned here : https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-reporting
For example : FAILED_FRAUD_CODE_ENTERED
I can work with you to find the desired results on your dataset if you need further help.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
5 people are following this question.