Forum Discussion
Solved
Identify users not using MFA
Hi Microsoft Community, I'd like to identify users who are authenticating to our M365 tenant without MFA. Currently we have MFA enforced by way of Conditional Access policy applying to a grou...
- Thanks to the replies. I found the information I was looking for in the GUI, filtered and downloaded to CSV:
Entra > Protection > Authentication Methods > User Registration Details
Hi there !!
You can run this query in your log analytics workspace.
SigninLogs
| where ResultType == 0
| where ConditionalAccessStatus == "success" // Ensure CA policy is applied successfully
| where MfaDetail !contains "MFA" // Filter out sign-ins where MFA was used
| summarize count() by UserPrincipalName, AppDisplayName, ClientAppUsed, IPAddress, Location
| order by count_ desc
This query ensures that the Conditional Access policy was successfully applied and filters out sign-ins where MFA was used. This should help you identify users who are authenticating without MFA more accurately.
Thanks 🙂
You can run this query in your log analytics workspace.
SigninLogs
| where ResultType == 0
| where ConditionalAccessStatus == "success" // Ensure CA policy is applied successfully
| where MfaDetail !contains "MFA" // Filter out sign-ins where MFA was used
| summarize count() by UserPrincipalName, AppDisplayName, ClientAppUsed, IPAddress, Location
| order by count_ desc
This query ensures that the Conditional Access policy was successfully applied and filters out sign-ins where MFA was used. This should help you identify users who are authenticating without MFA more accurately.
Thanks 🙂
