This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 25%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIC%3C/text%3E%3C/svg%3E)
Hi folks,
I'd like to send an email to my admin team when a user in my org adds a new authentication method. These events appear in the Azure portal in: Azure Active Directory > Security > Authentication Methods > Registration & reset events. If a hacker can compromise an MFA-enabled account, then adding another device is a frequent action I've read, so I'd like to alert on that. I have used the method of streaming audit logs to an analytics workspace and setting up an alert rule to email, but here I'm not sure if these authentication methods logs can be streamed to an analytics workspace. I'm not sure what category of log to stream in Azure Active Directory > Diagnostic Settings. Can anyone propose a method of accomplishing this? Thanks!
You're on the right path, the category you need is the generic AuditLogs one.
An alternative is using MDCA's activity policies as detailed here: https://video2.skills-academy.com/en-us/defender-cloud-apps/user-activity-policies
Hi Vasil, and thanks for the response. I did finally manage to get this done using the Auditlogs, but out of curiousity read your article on activity policies, as this seems a cleaner, more user friendly approach rather than log analysis. However, this method seems opaque as well. I tried creating an activity policy, but had trouble knowing what to filter on. In the 'Select a filter' dropdown, you have various options such as 'Action type', 'Activity ID', 'Activity objects' & 'Activity type'. I looked through the filter matches available for each of these but got nowhere. How can I find out what these parameters are for the activity\action I'm trying to alert are (ie. change of auth method)? Is there a master list of these somewhere? Can they be identified in some way from the log entries I've located? How to proceed?
There's no full documentation, afaik. Best thing to do is review the Activity log, filter it out to show only the events you care about and use the New policy from search button to create the activity policy.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 45%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
I have spent the past couple days working on this. In Entra Admin -> Protection -> Authentication Methods -> Registration and reset events: You can see the registration events but this doesn't seem to be updated in realtime. I've created new mfa methods and they are not reflected there for secondary mfas the primary. Meanwhile under User registration details it shows it.
In the Cloud App activity log I am struggling to see anything regarding MFA registration other than the Failed log on (Failure message: Strong Authentication is required) on the first login if MFA isn't setup yet.
In regards to proper activity log for when users create a new MFA I've been struggling with this for a while. Best I can do is in conditional policies you can block access to the ability to create MFA. But would need to add users to that group. Was thinking of creating a group called MFA Created and dynamically adding all users that have an MFA, then run the conditional policy against it.. Not a very clean way of doing this but at the moment I can't seem to find a proper way of approaching this.
If you know of a specific way of doing this I would greatly appreciate it. Microsoft doesn't seem to have any method documented that I can find.