MFA Failures Audit Report

Note: The information in the MFA Failures Audit report was previously available as the Identity Verification Failures Report. You can migrate the existing data from the Identity Verification Failures Report to the new MFA Failures Report to consolidate and display all the MFA failure entries from all configured domains.Click here for the migration steps.

The MFA Failures Audit Report displays details of every failed MFA attempt, providing administrators with critical security intelligence to detect and respond to potential attacks. It displays information such as the username, time of the MFA attempt, the policy the user is assigned to, the time of MFA failure, the endpoint type MFA was attempted from, the number of MFA attempts, the IP address of the machine, and the type of MFA attempted. This specialized report focuses exclusively on authentication failures to help identify security risks like brute-force and dictionary attacks.

How it works

This report queries the ADSelfService Plus database to retrieve comprehensive data on all failed MFA authentication attempts across all endpoints and applications. Consolidated MFA failure data from various sources including login agents, VPN, OWA, and self-service portals is presented, providing a unified view of authentication security issues.

Limitation: Account unlocks performed through the ADSelfService Plus web portal, mobile app, or other methods will not appear in this report. To view account unlock data from other ADSelfService Plus interfaces, you must use the Unlock Account Audit Report.

Prerequisite: You must have administrator or technician-level access to the ADSelfService Plus portal to generate and view reports.

Generating the MFA Failures Audit Report

To generate the MFA Failures Audit Report,

Log into the ADSelfService Plus admin portal with administrator or operator privileges.
Navigate to Reports > MFA Reports > MFA Failures Audit Report.
Specify the domain you'd like to search within using the Select Domain option.
Specify OUs using the Select OUs option, if needed.
The Period drop-down menu can be used to specify the period for which to generate reports. Options include Today, Yesterday, Last 7 days, Last 30 days, This month, and Custom Period.
Click Generate.

Customizing the MFA Failures Audit Report

MFA failures audit report in ADSelfService Plus

Adding or removing columns: To add or remove columns, click the Add/Remove Columns [] option at the far-right side of the report page. In the Select the columns to be displayed pop-up that appears, select the required fields under Available Columns and click the right arrow [>>] to move it to Selected Columns. To remove columns, select the unused fields under Selected Columns and click the left arrow [<<] to move it to Available Columns.
Ordering the columns: The columns' positions can also be altered by selecting a value under Selected Columns and using the Up and Down buttons to change its position.

Advanced filtering

Once the report is generated, the entries can be narrowed-down based on the following parameters by clicking the Advanced Filter [] icon at the far-right of the report:

Attempted From: This option lets you display results by the name of the endpoint MFA was attempted from. The conditions available to refine this include Contains, Does Not Contain, Equals, Is Not Equal To, Starts With, and Ends With.
IP Address: This option lets you display results by IP address. The conditions available to refine this include Contains, Does Not Contain, Equals, Is Not Equal To, Starts With, and Ends With.
Attempted Action: The report entries can be narrowed down based on the MFA action attempted or excluding a certain action. The actions available to refine this include ADSelfService Login, Machine Login, OWA Login, Reset Password, and SSO Application Login.
Authenticator: The report entries can be narrowed based on the authenticator with which MFA was attempted. You can do this by specifying or excluding a particular authenticator.
Access Mode: The report entries can be narrowed based on the type of device MFA was attempted from. You can do this by specifying or excluding a particular device type.
Policy Name: This option lets you narrow down the MFA attempts by policy name. The conditions available to refine this include Contains, Does Not Contain, Equals, Is Not Equal To, Starts With, and Ends With.

Sorting

Click any of the column headers (except the Authenticator column) to view the report's entries in ascending or descending order.

Searching

Click the search icon [] to search for specific data in the report.
Specific users can be searched for using attributes such as the username, policy name, IP address, and type of endpoint MFA was attempted from.

Searching happens using the criteria contains. For example, if the username column is searched for the word jack, then all usernames containing the sequence jack will be displayed as a result.

Migrating to the MFA Failures Audit Report

Existing information from the Identity Verification Failures Report can be migrated to the MFA Failures Audit Report to receive a single, unified view of MFA failure incidents across all the domains configured in ADSelfService Plus.

Migration can be performed by domain-based super admins as well as product-based super admins. If a domain-based super-admin migrates data from the Identity Verification Failures report to the MFA Failures Audit Report, all the MFA failure records across all configured domains will be migrated.

Note: Only the identity verification failure audit data for the last three months will be migrated to the MFA Failures Audit Report.

To migrate existing information from the Identity Verification Failures Report to the MFA Failures Audit Report,

Filtering the MFA failures audit report in ADSelfService Plus

Log into ADSelfService Plus with super admin credentials and navigate to Reports > MFA Reports > MFA Failures Audit Report.
Click the Identity Verification Failure Report link at the top-right of the report.

Migrating to the MFA failures audit report in ADSelfService Plus

The Identity Verification Failures report will load. Click Migrate Now at the top-right of the report.
Click Migrate Now in the pop-up that is displayed.

Your data will now be migrated to the new MFA Failures Report.

Note: The Identity Verification Failure Report can be viewed by clicking the Identity Verification Failure link at the right of the MFA Failures Audit Report. This link will be displayed as long as the data used to populate the report exists. However, if the older data gets erased, the Identity Verification Failure link will not be displayed.

Automating the MFA Failures Audit report

The Schedule Reports option can be used to schedule the generation of reports at specified intervals and automatically email them to administrators or specific email addresses. Learn how to schedule reports here.

Exporting the MFA Failures Audit report

The Export As option at the right corner of the page helps export the report in CSV, PDF, XLS, XLSX, HTML, and CSVDE formats.

Tips

The More option at the right corner of the page lists the Printable View, Send Mail, and Export Settings options.
- The Printable View option can be used to preview and print the report.
- The Send Mail option can can be used to email the report to the desired email addresses.
- Additionally, you can configure custom Export Settings, such as a personalized title for the report and a header logo that you may wish to display on each page.
Fortify Conditional Access policies: When the report reveals concentrated MFA failures from specific IP ranges or geolocations, you can quickly create or modify Conditional Access rules to block those sources or enforce stricter authentication requirements.

The Schedule Reports option at the top-right corner of the page can be used to schedule the generation of reports at specified intervals to set up an automated scheduler. Learn to schedule reports here.