Azure AD authentication methods, MFA and SSPR insights and reports
We’ve been rolling out MFA (Multi-Factor authentication) and SSPR (Self-Service Password Reset) for many customers last couple of years. It often takes time and requires preparations but done right it will succeed and once finished they users get used to it just as they get used logging in using MFA to their bank.
During the deployment, you as admin did not really have much insight how the deployment was going. To get answers such as the following was not an easy task which required either PowerShell or even not possible:
- How many users have registered?
- What method – mobile phone text message, app code, app notification (which we prefer and recommend) do they use?
- When registering, how many fail and for what reason?
- Does anyone actually use SSPR to reset their password?
Well, Microsoft just released a preview of Authentication Methods – Usage & Insights. You will find it in portal.azure.com > Azure Active Directory > Usage & insights > Authentication methods activity.
First page is an overview showing how many users are registered for MFA and SSPR.
You can click the links to get additional details on each user and what methods they have registered. Also note the red in the cart which indicated there are users who failed registering. It’s a good idea to investigate why they fail.
In the Usage link you can see users who have performed self-service password reset to make sure the users are actually using the solutions you implement.
Clicking this chart gives you some detaile of which users, if they succeeded or failed and using which method.
I’ve been waiting a long time for these reports. I think there is still some work to be done, for example I’d like to see a pie chart of which methods are used as a primary authentication method since we recommend all users to use App Notification using the Authenticator App for best user experience.
I’d also like to see that they calculate the number of users better. Even though in the above example shows 71 our of 867 has registered for MFA, that might not be as bad as it looks since you always have a lot of disabled, guest, shared mailboxes which might never get registred for MFA.