Azure Login Explicitly Denied MFA

Set up the azure integration.


Detect and identify the network IP address when multiple user accounts failed to complete the MFA process.


Monitor Azure Active Directory Sign-in logs and detect when any @evt.category is equal to SignInLogs, @properties.authenticationRequirement is equal to multiFactorAuthentication and @evt.outcome is equal to failure.

Triage and response

  1. Inspect the log and determine if this was a valid login attempt.
  2. If the user was compromised, rotate user credentials.