KQL Sign-Ins: Authentication Methods Used
KQL for SigninLogs showing authentication methods used.
SigninLogs
| where TimeGenerated > ago(1d)
//| where UserPrincipalName startswith 'christopher.'
//| where UserPrincipalName =~ 'user@domain.com'
| where UserType == 'Member'
| mv-expand todynamic(AuthenticationDetails)
| extend ['Authentication Method'] = tostring(AuthenticationDetails.authenticationMethod)
| where ['Authentication Method'] !in ("Previously satisfied")
| where isnotempty(['Authentication Method'])
| summarize
['Authentication Methods Used']=make_set(['Authentication Method'])
by UserPrincipalName
| sort by UserPrincipalName asc
// UserPrincipalName | Authentication Methods Used |
// |-------------------------|---------------------------------------|
// john.smith@domain.com | ["Password","Mobile app notification"]