Backup Code Usage Report

    The Backup Code Usage Report includes information about every time a backup code is generated or used for identity verification. It displays details such as the username, the timestamp, the policy the user is assigned to, the endpoint, the machine's IP address, the status of the action (success or failure), and the entity the action was initiated by (user or admin).

    How it works

    This report queries the ADSelfService Plus database to retrieve detailed records of all backup code activities across the organization. Backup codes serve as emergency authentication methods when users' primary MFA devices are unavailable. The report tracks two key activities:

    • Code generation (when administrators create one-time backup codes for users)
    • Code usage (when users authenticate using these codes)

    Prerequisite: You must have administrator or technician-level access to the ADSelfService Plus portal to generate and view reports.

    Generating the Backup Code Usage Report

    Backup Code Usage Report

    To generate the Backup Code Usage Report:

    1. Log in to the ADSelfService Plus admin portal with administrator or operator privileges.
    2. Navigate to Reports > MFA Reports > Backup Code Usage Report.
    3. Specify the domain in which to search using the Select Domain option.
    4. Specify OUs (if necessary) using the Select OUs option.
    5. Click Generate to generate the report.

    Customizing the Backup Code Usage Report

    • Adding or removing columns: To add or remove columns, click on the Add/Remove Columns [ ] option at the far right of the report. In the Select the columns to be displayed pop-up that appears, select the required fields under Available Columns and click on the right arrow ( >> ) to move it to the Selected Columns. To remove columns, select the unused fields under Selected Columns and click on the left arrow ( << ) to move it to Available Columns.
    Backup code usage report in ADSelfService Plus
    • Ordering the columns: The columns' positions can also be altered by selecting a value under Selected Columns and using the Up and Down options to change its position.

    Advanced filtering

    Once the report is generated, the entries can be narrowed down based on the following parameters by clicking the Advanced Filter [ ] icon at the far-right side of the report page.

    Customizing the backup code usage report in ADSelfService Plus

    IP Address: Use this option to narrow down the report entries by IP address. The conditions available to refine this include Contains, Does Not Contain, Equals, Is Not Equal To, Starts With, and Ends With.

    Attempted From: Use this option to narrow-down the report entries based on the name of the machine the action was attempted from. The conditions available to refine this include Contains, Does Not Contain, Equals, Is Not Equal To, Starts With, and Ends With.

    Policy Name: This option lets you display results by policy name. The conditions available to refine this include Contains, Does Not Contain, Equals, Is Not Equal To, Starts With, and Ends With.

    Action at Module: Entries can be narrowed down based on if the backup code has been generated or used.

    Module: This option can be used to display MFA attempts made to specific resources using the backup code.

    Access Mode: The sub-options available under Access Mode include Desktop Site, Mobile Site, iOS App, Android App, Windows Login Agent, macOS Login Agent, and Linux Login Agent.

    Status: Entries can be narrowed down by whether the backup code usage status was a Success or a Failure.

    Sorting

    Click on any of the column headers to view the report's entries in ascending or descending order.

    Searching

    • Click on the search icon [ ] in order to search for specific data in the report.
    • Specific users can be searched for using attributes such as their sAMAccountName, or Display Name.
    • Searching happens using the criteria ' contains '. For example, if the username column is searched for the word " jack " , then all usernames containing the sequence " jack " will be displayed as a result.

    Automating the Backup Code Usage Report

    • The Schedule Reports option can be used to schedule the generation of reports at specified intervals, and automatically email them to administrators or specific email addresses. Learn to schedule reports here.

    Exporting the Backup Code Usage Report

    • The Export As option at the right corner of the page helps export the report in CSV, PDF, XLS, XLSX, HTML and CSVDE formats.

    Tips

    • The More option at the right corner of the page lists the Printable View, Send Mail, and Export Settings options.
      • The Printable View option can be used to preview and print the report.
      • The Send Mail option can be used to mail the report to the desired email addresses.
      • Additionally, you can configure custom Export Settings, such as a personalized title for the report and a header logo that you may wish to display on each page.
    • Monitor backup code usage for security incidents: Filter by Action at Module: Used to identify when users are authenticating with backup codes. Frequent backup code usage by the same user may indicate they've lost their primary authenticator and need assistance re-enrolling, or worse, their account credentials have been compromised.