Query Details
Overview Of All MFA Methods In Use
Query
# KQL query to get an overview of all MFA methods in use ```kusto // Bar chart showing all MFA types used SigninLogs | where AuthenticationRequirement == "multiFactorAuthentication" | where ResultType == 0 | project AuthenticationDetails | extend ['MFA Method'] = tostring(parse_json(AuthenticationDetails)[1].authenticationMethod) | summarize Count=count() by ['MFA Method'] | where ['MFA Method'] != "Previously satisfied" and isnotempty(['MFA Method']) | sort by Count desc | render barchart with (title="Types of MFA Methods used") ```
Explanation
This KQL query is designed to provide a visual overview of the different Multi-Factor Authentication (MFA) methods being used successfully within an organization. Here's a simple breakdown of what the query does:
-
Data Source: It starts by looking at the
SigninLogs, which contain records of sign-in attempts. -
Filter for MFA: It filters these logs to only include entries where multi-factor authentication was required (
AuthenticationRequirement == "multiFactorAuthentication") and was successful (ResultType == 0). -
Extract MFA Method: From these filtered logs, it extracts the specific MFA method used by parsing the
AuthenticationDetailsfield. -
Count MFA Methods: It counts how many times each MFA method was used, excluding any entries where the method is "Previously satisfied" or empty.
-
Sort and Visualize: The results are sorted in descending order based on the count, and then displayed as a bar chart titled "Types of MFA Methods used".
In summary, this query generates a bar chart that shows the frequency of different MFA methods used successfully, helping to understand which methods are most commonly employed.
Details
Nathan Hutchinson
Released: April 10, 2026
Tables
Keywords
Operators