We are trying to pull in User Authentication Methods into Splunk from Azure. We get all of the other sign-in information but not the Authentication method. In Azure AuthenticationMethod tells us if someone has used Windows Hello for Business to authenticate through Windows Sign-in. I see this line in the default props for the TA-MS-AAD:
FIELDALIAS-ms_aad_sign_in_authentication_authentication_method = authenticationDetails{}.authenticationMethod as authentication_method
We have also enabled the permissions for UserAuthenticationMethod.ReadAll in the necessary Azure app but we are not seeing the data in the azure index. We get all of the other sign-in information but not the authentication_method. There isn't even a NULL field. It just doesn't exist.
Am I doing something wrong or is what I am asking not possible.
We are trying to pull in User Authentication Methods into Splunk from Azure. We get all of the other sign-in information but not the Authentication method. In Azure AuthenticationMethod tells us if someone has used Windows Hello for Business to authenticate through Windows Sign-in. I see this line in the default props for the TA-MS-AAD:
FIELDALIAS-ms_aad_sign_in_authentication_authentication_method = authenticationDetails{}.authenticationMethod as authentication_method
We have also enabled the permissions for UserAuthenticationMethod.ReadAll in the necessary Azure app but we are not seeing the data in the azure index. We get all of the other sign-in information but not the authentication_method. There isn't even a NULL field. It just doesn't exist.
Am I doing something wrong or is what I am asking not possible.