Analyzing Authentication Methods in Azure: Insights from Azure Active Directory Audit Logs

In today’s digital ecosystem, safeguarding user accounts and data is vital. Azure Active Directory (AAD) is essential for authentication and access management in Azure. Continuous monitoring and analysis of authentication methods are crucial for maintaining security. This blog explores a KQL query for insights into authentication methods and registered mobile numbers in Azure AD audit logs.

Understanding the Query: A Step-by-Step Analysis

Let’s dissect the query to understand each step and its significance:

AuditLogs
| extend deviceNo = tostring(AdditionalDetails[0].value)
| extend userPrincipalName_ = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where OperationName == "User registered security info"
    or OperationName == 'User started security info registration'
    or OperationName == 'Admin registered security info'
    or OperationName == 'Authentication Methods Policy Update'
| where Result == 'success'
| extend PhoneNumber1 = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[2].newValue)))
| extend AdminregisteredphonemethodforuserPhoneno = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[2].newValue)))
| extend UserdisabledSMSsigninonaphonenumber= tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[2].newValue)))
| extend PhoneNumber= coalesce(PhoneNumber1, AdminregisteredphonemethodforuserPhoneno1, UserdisabledSMSsigninonaphonenumber)
| summarize by TimeGenerated, userPrincipalName_, ResultDescription, PhoneNumber

1. AuditLogs: This initial step sets the stage by accessing the audit logs within Azure Active Directory. These logs contain a wealth of information about user activities, including authentication events and security-related operations.
2. Extend: Next, we extend the query to include additional fields extracted from the audit logs. Specifically, we retrieve the device number and the user principal name, which are essential identifiers for tracking user activity.
3. Where: In this step, we filter the audit logs based on specific operations related to user security information. These operations include user registration of security information, administration of security information by administrators, and updates to authentication methods policies.
4. Result: We further filter the results to include only successful operations. This ensures that we focus solely on instances where security measures were successfully enacted, enhancing the accuracy of our analysis.
5. Extend (PhoneNumber1, AdminregisteredphonemethodforuserPhoneno, UserdisabledSMSsigninonaphonenumber): In this step, we extract the registered mobile number from the audit logs. We parse through the JSON data to identify the relevant information about the user’s phone number.
6. Summarize: Finally, we summarize the results by grouping them based on the time they were generated, the user’s principal name, the result description, and the registered mobile number.

Conclusion

By analyzing authentication methods and registered mobile numbers through Azure Active Directory audit logs, organizations gain valuable insights into their security posture. This KQL query provides a systematic approach to monitoring user activities, ensuring compliance with security policies, and enhancing overall cybersecurity resilience in Azure environments. Continuous analysis and optimization of authentication methods are essential components of a proactive security strategy, helping organizations stay ahead of emerging threats and protect their valuable assets effectively.