MFA Usage for Machines/VPN/OWA

    The MFA Usage for Machines/VPN/OWA report details how users employ multi-factor authentication when accessing Windows, macOS, or Linux machines—covering logins, password resets, and account unlocks—as well as during OWA and VPN logins. It includes the username, time of attempt, applied policy, action type, endpoint source, machine IP address, and attempt status. This enables administrators to monitor and secure critical access points across the organization's infrastructure.

    • How it works
    • Generating the MFA Usage for Machines/VPN/OWA Report
    • Customizing the MFA Usage for Machines/VPN/OWA Report
    • Automating the MFA Usage for Machines/VPN/OWA Report generation
    • Exporting the MFA Usage for Machines/VPN/OWA Report
    • Tips

    How it works

    This report queries the ADSelfService Plus database to retrieve MFA authentication data specifically from Windows, macOS, or Linux login screens, as well as VPN and OWA logins. It provides specialized visibility into authentication patterns across these critical endpoints rather than general application logins.

    Limitation: This report does not include MFA data for other endpoints such as cloud or web application logins. To view MFA data for other endpoints and actions, administrators must use the MFA Usage Audit Report.

    Prerequisite: You must have administrator or technician-level access to the ADSelfService Plus portal to generate and view reports.

    Generating the MFA Usage for Machines/VPN/OWA Report

    To generate the MFA Usage for Machines/VPN/OWA report:

    MFA Usage for Machines/VPN/OWA
    1. Log in to the ADSelfService Plus admin portal with administrator or operator privileges.
    2. Navigate to Reports.
    3. Click MFA Reports > MFA Usage for Machines/VPN/OWA.
    4. Specify the domain in which to search using the Select Domain option.
    5. Specify OUs (if necessary) using the Select OUs option.
    6. The Period drop-down menu can be used to specify the period for which to generate reports. Options include Today, Yesterday, Last 7 days, Last 30 days, This month, and Custom Period.
    7. Click Generate to generate the report.

    The Status column displays if the MFA status of each attempt was a Success or a Failure. Incomplete verification attempts are also displayed. Click Details in the Authenticator column to display all the authenticators used for the MFA attempt, including each of their MFA statuses.

    Customizing the MFA Usage for Machines/VPN/OWA Report

    MFA Usage for Machines/VPN/OWA report in ADSelfService Plus
    • Adding or removing columns: To add or remove columns, click the Add/Remove Columns [] option at the far-right side of the report page. In the Select the columns to be displayed pop-up that appears, select the required fields under Available Columns and click the right arrow [>>] to move it to Selected Columns. To remove columns, select the unused fields under Selected Columns and click the left arrow [<<] to move it to Available Columns.
    • Ordering the columns: The columns' positions can also be altered by selecting a value under Selected Columns and using the Up and Down buttons to change its position.

    Advanced filtering

    Once the report is generated, the entries can be narrowed-down based on the following parameters by clicking the Advanced Filter [] icon at the far-right of the report:

    Customizing MFA Usage for Machines/VPN/OWA report in ADSelfService Plus
    • Attempted From: This option lets you display results by the name of the endpoint MFA was attempted from. The conditions available to refine this include Contains, Does Not Contain, Equals, Is Not Equal To, Starts With, and Ends With.
    • IP Address: This option lets you display results by IP address. The conditions available to refine this include Contains, Does Not Contain, Equals, Is Not Equal To, Starts With, and Ends With.
    • Status: Entries can be narrowed down by whether MFA was a Success or a Failure, or if MFA was Incomplete.
    • Attempted Action: The report entries can be narrowed down based on the MFA action attempted or excluding a certain action. The actions available to refine this include ADSelfService Login, Machine Login, OWA Login, Reset Password, and SSO Application Login.
    • Authenticator: The report entries can be narrowed based on the authenticator with which MFA was attempted. You can do this by specifying or excluding a particular authenticator.
    • Access Mode: The report entries can be narrowed based on the type of device MFA was attempted from. You can do this by specifying or excluding a particular device type.
    • Policy Name: This option lets you narrow down the MFA attempts by policy name. The conditions available to refine this include Contains, Does Not Contain, Equals, Is Not Equal To, Starts With, and Ends With.

    Sorting

    Click any of the column headers (except the Status and Authenticator columns) to view the report's entries in ascending or descending order.

    Searching

    • Click the search icon [] to search for specific data in the report.
    • Specific users can be searched for using attributes such as the username, policy name, IP address, and type of endpoint MFA was attempted from.
    • Searching happens using the criteria contains. For example, if the username column is searched for the word jack, then all usernames containing the sequence jack will be displayed as a result.

    Automating the MFA Usage for Machines/VPN/OWA Report

    The Schedule Reports option can be used to schedule the generation of reports at specified intervals and automatically email them to administrators or specific email addresses. Learn how to schedule reports here.

    Exporting the MFA Usage for Machines/VPN/OWA Report

    The Export As option at the right corner of the page helps export the report in CSV, PDF, XLS, XLSX, HTML, and CSVDE formats.

    Tips

    • The More option at the right corner of the page lists the Printable View, Send Mail, and Export Settings options.
      • The Printable View option can be used to preview and print the report.
      • The Send Mail option can can be used to email the report to the desired email addresses.
      • Additionally, you can configure custom Export Settings, such as a personalized title for the report and a header logo that you may wish to display on each page.
    • Troubleshooting aid: When users report issues with machine or VPN access, search for their username in the report to see the detailed status and authenticator used for each attempt, significantly speeding up troubleshooting.

    The Schedule Reports option at the top-right corner of the page can be used to schedule the generation of reports at specified intervals to set up an automated scheduler. Learn to schedule reports here.