BharathNimmala-MSFT
commented
4 years ago @NTDS Thank you for your query, our team will further look into it and get back to you at the earliest.
Closed AmyHDang-MSFT closed 4 years ago
BharathNimmala-MSFT
commented
4 years ago @NTDS Thank you for your query, our team will further look into it and get back to you at the earliest.
shashishailaj
commented
4 years ago @NTDS Every file that is present within the MFA server logs has a specific format but in most of the logs the delimiter is character | . You can open the logs in an excel file using the following steps. For example below are the most files that you will see in the Logs folder on the MFA server installation folder. %Programfiles%\Multi-Factor Authentication Server\Logs
I will use MultiFactorAuthAdSyncSvc.log for this example. Open this log file in Excel .
When you try to open it it will open a text import wizard.
Select Delimited in the above screen. Now once you move to the next step uncheck Tab in the delimiters list and click on other. Type | (pipe sign) as the delimiter . Once you do that you will see something like below.
Click next and in this last step change the Column data format for the first column. Select the first column which is for date and select YMD format as that is the existing format in the file and then click finish to finish the import.
Once the data is imported , Insert a row at the top in the file and populate it with the details as below.
This is as per the fact that the MFA server logs have this format where the first section is Timestamp and so on. Below is one line from the example log file.
2020-02-23T15:08:36.646084Z|i|2656|1740|pingPop|aff0e6af-35c3-4a8e-90ab-937c7a76a06e|Pinged.
Timestamp|LogLevel | ProcessID|ThreadID | Component/Service | Operational Message | Result (In some cases)
As you can see the different fields are shown above hence we need to create the first row which serve as category types in the excel import. All the names are self-explanatory apart from the logLevel values. The loglevel field has 4 states.
Once you have made changes to the file, you can save the file as a CSV file. This CSV file can be uploaded to a Azure Storage Blob and can be imported to the log analytics workspace using externaldata operator.
You can read more on the article https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2019/08/13/azure-log-analytics-how-to-read-a-file/ .
Once you have the data in the log anlaytics you can query the logs as needed or make interactive reports using the Azure monitor workbook functionality.
Hope this clarifies your query. Unfortunately there is no stragihtfoward way to do this but you could you azure automation runbook along with powershell to have the MFA data for the users in log analytics workspace and create reports with the same. I have not done this but technically as far as I know it is possible. You may have to do some hit and trial before you can get it fully automated and working .
We will now close this issue. In case you have any further queries , please feel free to tag me to your reply or if your query is not related to this issue , please feel free to open a new issue and we will be happy to help you on the same.
Thank you.
AmyHDang-MSFT
commented
4 years ago The instructions here are regarding MFA Server, which is not in use in this implementation. This implementation of RADIUS uses Azure MFA for second factor and this activity currently only shows up in the portal under Multifactor Authenitcation->Activity Report. [cid:4ffa2068-9a54-417b-a74d-4e4b47ae197d]
Just want to confirm that what you are saying is that currently this information cannot be sent directly to log analytics or a storage account. You would have to Download the CSV from the portal and then follow the steps you're discussing here, is that correct?
From: ShashiShailaj-MSFT notifications@github.com Sent: Tuesday, March 31, 2020 3:45 PM To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com Cc: NTDS amy.h@live.com; Mention mention@noreply.github.com Subject: Re: [MicrosoftDocs/azure-docs] Diagnostic settings to capture MFA Authentication activity report (#50854)
@NTDShttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FNTDS&data=02%7C01%7C%7C9be58d8f35ce4722be6108d7d5b46a1d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637212843154894639&sdata=aFCF%2BHkuyOLhI2hqHFJd8TUwc01bIBT6PVcjuf1bnYc%3D&reserved=0 Every file that is present within the MFA server logs has a specific format but in most of the logs the delimiter is character | . You can open the logs in an excel file using the following steps. For example below are the most files that you will see in the Logs folder on the MFA server installation folder. %Programfiles%\Multi-Factor Authentication Server\Logs
I will use MultiFactorAuthAdSyncSvc.log for this example. Open this log file in Excel .
When you try to open it it will open a text import wizard.
Select Delimited in the above screen. Now once you move to the next step uncheck Tab in the delimiters list and click on other. Type | (pipe sign) as the delimiter . Once you do that you will see something like below.
Click next and in this last step change the Column data format for the first column. Select the first column which is for date and select YMD format as that is the existing format in the file and then click finish to finish the import.
Once the data is imported , Insert a row at the top in the file and populate it with the details as below.
This is as per the fact that the MFA server logs have this format where the first section is Timestamp and so on. Below is one line from the example log file.
2020-02-23T15:08:36.646084Z|i|2656|1740|pingPop|aff0e6af-35c3-4a8e-90ab-937c7a76a06e|Pinged.
Timestamp|LogLevel | ProcessID|ThreadID | Component/Service | Operational Message | Result (In some cases)
As you can see the different fields are shown above hence we need to create the first row which serve as category types in the excel import. All the names are self-explanatory apart from the logLevel values. The loglevel field has 4 states.
Once you have made changes to the file, you can save the file as a CSV file. This CSV file can be uploaded to a Azure Storage Blob and can be imported to the log analytics workspace using externaldata operatorhttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkusto%2Fquery%2Fexternaldata-operator&data=02%7C01%7C%7C9be58d8f35ce4722be6108d7d5b46a1d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637212843154954615&sdata=ZZzv%2Fpy0tZieJBFgK4%2F0InqqRXvUOXcxUrADwCwGgog%3D&reserved=0.
You can read more on the article https://cloudblogs.microsoft.com/industry-blog/en-gb/cross-industry/2019/08/13/azure-log-analytics-how-to-read-a-file/https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcloudblogs.microsoft.com%2Findustry-blog%2Fen-gb%2Fcross-industry%2F2019%2F08%2F13%2Fazure-log-analytics-how-to-read-a-file%2F&data=02%7C01%7C%7C9be58d8f35ce4722be6108d7d5b46a1d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637212843154964609&sdata=1krx5AaRqf1hP8RIYqhv%2BFcFs%2BYFItxTlDjFQw%2F1RyE%3D&reserved=0 .
Once you have the data in the log anlaytics you can query the logs as needed or make interactive reports using the Azure monitor workbook functionalityhttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fapp%2Fusage-workbooks&data=02%7C01%7C%7C9be58d8f35ce4722be6108d7d5b46a1d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637212843154974602&sdata=lX9NYkQNSepXdUqf0DxPcxMWexXneX4KQP8Lu46a%2F48%3D&reserved=0.
Hope this clarifies your query. Unfortunately there is no stragihtfoward way to do this but you could you azure automation runbook along with powershell to have the MFA data for the users in log analytics workspace and create reports with the same. I have not done this but technically as far as I know it is possible. You may have to do some hit and trial before you can get it fully automated and working .
We will now close this issue. In case you have any further queries , please feel free to tag me to your reply or if your query is not related to this issue , please feel free to open a new issue and we will be happy to help you on the same.
Thank you.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F50854%23issuecomment-606865107&data=02%7C01%7C%7C9be58d8f35ce4722be6108d7d5b46a1d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637212843154984597&sdata=fAVSvU8CKKUEF2rWtx6eUF6nLVhqDtX7pAEyy%2FuwgAQ%3D&reserved=0, or unsubscribehttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAEVA6AO6SGIUAVREC6HQSATRKJI5RANCNFSM4LTFQQEA&data=02%7C01%7C%7C9be58d8f35ce4722be6108d7d5b46a1d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637212843154994598&sdata=j%2FqLTSbpQa4q7Aj6uxrhHdzlJUvUV%2FQEe7Z4rmmK3Tk%3D&reserved=0.
When viewing activity under the Mulitfactor Authentication node, we are able to see data around radius server authentication (the radius server is using Azure MFA). However, this data is not viewable in the Azure AD sign in logs. How can the Multifactor Authentication activity log information be collected to a log analytics workspace so they can be queried/stored?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.