Introduction
Keeping track of Multi-Factor Authentication (MFA) changes in your organization shouldn’t be complicated. This Microsoft Sentinel workbook provides a straightforward way to monitor MFA activities across your Entra ID environment by analyzing your audit logs.
The workbook focuses on three key MFA operations in your AuditLogs: new registrations, deletions, and registration attempts. By tracking these activities, you can quickly spot unusual patterns or verify that users are properly setting up their MFA methods.
When you open the workbook, you’ll see an overview dashboard showing your MFA status for the last 7 days. This includes simple count tiles showing how many MFA methods were registered or removed, along with a timeline that helps you spot patterns or unusual spikes in MFA activity.
For deeper investigation, the detailed view shows three clear tables. You can see which authentication methods users are registering (like Microsoft Authenticator or FIDO2 keys), track if users are having trouble during registration attempts, and monitor when MFA methods are being removed from accounts.
Requirements
Before using this workbook, make sure you have:
- Microsoft Sentinel
- Workspace with the Entra ID connector enabled
- Permissions to create and edit workbooks
- Access to query AuditLogs table
- Entra ID Configuration
- P1/P2 license for full MFA logging capabilities
- Diagnostic settings configured to send logs to your Sentinel workspace
The workbook shows a fixed 7-day window of MFA activities, giving you a clear picture of your recent MFA environment without overwhelming you with historical data.
Download (Premium Members)
Summary
This workbook fills a simple but important need: keeping track of MFA changes in your environment. With just the AuditLogs table and a few minutes to set up, you get a clear view of who’s registering MFA methods, who’s having trouble, and what methods are being removed. It’s particularly useful for security teams during MFA rollouts or when troubleshooting user access issues.
