MFA Failures Report
ADSelfService Plus offers MFA security for various endpoints and self-service password reset and account unlock actions. MFA can be utilized through both workstations and mobile devices.
Note: The information in the MFA Failures report was previously available in the Identity Verification Failures Report. You can migrate the existing data from the Identity Verification Failures Report to the new MFA Failures Report to consolidate and display all the MFA failure enties from all configured domains. Click
here for the migration steps.
This information helps administrators handle security risks like brute force and dictionary attacks.
Report generation
You can generate the MFA Usage Audit Report by following these steps:
- Log into the ADSelfService Plus admin portal with Administrator or Operator privileges and navigate to Reports > MFA Reports > MFA Failures Report.
- Specify the domain using the Select Domain option.
- Specify OUs (if necessary) using the Select OUs option.
- The Period drop-down menu can be used to specify the time period for which to generate the reports. Options include Today, Yesterday, Last 7 days, Last 30 days, This month, and Custom Period.
- Click Generate to generate the report.
Report customization
- Adding or removing columns: To add or remove columns, click on the Add/Remove Columns[] option at the far right of the report. In the Select the columns to be displayed pop-up that appears, select the required fields under Available Columns and click on the right arrow [>>] to move it to the Selected Columns. To remove columns, select the unused fields under Selected Columns and click on the left arrow [<<] to move it to Available Columns.
- Ordering the columns: The columns' positions can also be altered by selecting a value under Selected Columns and using the Up and Down options to change its position.
Advanced Filtering
- Once the report is generated, the entries can be narrowed-down based on the following parameters by clicking on the Advanced Filter [] icon at the far right of the report
- Name: This option lets you narrow-down the failed MFA attempts by username. The conditions available to refine this include Contains, Does Not Contain, Equals, Is Not Equal To, Starts With, and Ends With.
- Attempted from: This option lets you display results by the name of the machine the failed MFA action was attempted from. The conditions available to refine this include Contains, Does Not Contain, Equals, Is Not Equal To, Starts With, and Ends With.
- IP Address: This option lets you display results by IP address. The conditions available to refine this include Contains, Does Not Contain, Equals, Is Not Equal To, Starts With, and Ends With.
- Attempted Action:The report entries can be narrowed-down based on the MFA action attempted or excluding a certain action. The actions available to refine this include ADSelfService Login, Machine Login, OWA Login, Reset Password, SSO Application Login, and more.
- Authenticator: The report entries can be narrowed based on the authenticator MFA was attempted for. You can generate it by specifying or excluding a particular authenticator.
- Access Mode: The report entries can be narrowed based on the entity MFA was attempted from. You can generate it by specifying or excluding a particular entity type.The sub-options available under include Windows Login agent, macOS Login Agent, Linux Login Agent, VPN Login, OWA Login, and more.
- Policy Name: This option lets you narrow-down the failed MFA attempts by policy name. The conditions available to refine this include Contains, Does Not Contain, Equals, Is Not Equal To, Starts With, and Ends With.
- Status: Entries can be narrowed-down by whether MFA was a Success or a Failure, or if MFA was Incomplete.
Searching
- Click on the search icon[ ] in order to search for specific data in the report.
- Specific users can be searched for using their username, Policy Name, Attempted from and IP Address of the device MFA was attempted from.
- Searching happens using the criteria 'contains'. For example, if the username column is searched for the word "jack" , then all usernames containing the sequence "jack" will be displayed as a result.
Schedule Reports, Export As and More
- The Schedule Reports option can be used to schedule the generation of reports at specified intervals, and automatically email them to administrators or specific email addresses Learn to schedule reports here.
- The Export As option at the right corner of the page helps export the report in CSV, PDF, XLS, XLSX, HTML and CSVDE formats.
- The More option at the right corner of the page lists the Printable View, Send Mail, and Export Settings options.
- The Printable View option can be used to preview and print the report.
- The Send Mail option can be used to mail the report to the desired email addresses.
- Additionally, you can configure custom Export Settings, such as a personalized title for the report and a header logo that you may wish to display on each page.
Migrating to the MFA Failures Report
Existing information from the Identity Verification Failures Report can be migrated to the MFA Failures Report to get a single, unified view of MFA failure incidents across all the domains configured in ADSelfService Plus.
Migration can be performed by domain-based super admins as well as product-based super admins. If a domain-based super-admin migrates data from the Identity Verification Failures report to the MFA Failures report, all the MFA failure records across all configured domains will be migrated.
To migrate existing information from the Identity Verification Failures Report to the MFA Failures Report,
- Log into ADSelfService Plus with super admin credentials and navigate to Reports > MFA Reports > MFA Failures Report.
- Click on the Identity Verification Failure Report link at the top-right of the report.
- The Identity Verification Failures report will load. Click on Migrate Now at the top-right of the report.
- Click on Migrate Now in the pop-up that is displayed. Your data will now be migrated to the new MFA Failures Report.