title | description | author | manager | ms.service | ms.topic | ms.subservice | ms.date | ms.author | ms.reviewer |
---|---|---|---|---|---|---|---|---|---|
Authentication prompts analysis workbook |
Learn how to use the authentication prompts analysis workbook in Microsoft Entra ID to investigate users getting too many MFA prompts. |
shlipsey3 |
amycolannino |
entra-id |
how-to |
monitoring-health |
03/05/2024 |
sarahlipsey |
sarbar |
As an IT Pro, you want the right information about authentication prompts in your environment so you can detect unexpected prompts and investigate further. Providing you with this type of information is the goal of the Authentication Prompts Analysis workbook.
[!INCLUDE workbook prerequisites]
Have you recently heard of complaints from your users about getting too many authentication prompts?
Overprompting users can affect your user's productivity and often leads users getting phished for MFA. To be clear, MFA is essential! We aren't talking about if you should require MFA but how frequently you should prompt your users.
Typically, this scenario is caused by:
- Misconfigured applications
- Over aggressive prompts policies
- Cyber-attacks
The authentication prompts analysis workbook identifies various types of authentication prompts. The types are based on different pivots including users, applications, operating system, processes and more.
You can use this workbook in the following scenarios:
- You received aggregated feedback of too many prompts.
- To detect over prompting attributed to one specific authentication method, policy application, or device.
- To view authentication prompt counts of high-profile users.
- To track legacy TLS and other authentication process details.
-
Sign in to the Microsoft Entra admin center using the appropriate combination of roles.
-
Browse to Identity > Monitoring & health > Workbooks.
-
Select the Authentication Prompts Analysis workbook from the Usage section.
This workbook breaks down authentication prompts by:
- Method
- Device state
- Application
- User
- Status
- Operating System
- Process detail
- Policy
In many environments, the most used apps are business productivity apps. Anything that isn’t expected should be investigated. The following charts show authentication prompts by application.
The prompts by application list view shows additional information such as timestamps, and request IDs that help with investigations.
Additionally, you get a summary of the average and median prompts count for your tenant.
This workbook also helps track impactful ways to improve your users’ experience and reduce prompts and the relative percentage.
Take advantage of the filters for more granular views of the data:
Filtering for a specific user that has many authentication requests or only showing applications with sign-in failures can also lead to interesting findings to continue to remediate.
-
If data isn't showing up or seems to be showing up incorrectly, confirm that you have set the Log Analytics Workspace and Subscriptions on the proper resources.
-
If the visuals are taking too much time to load, try reducing the Time filter to 24 hours or less.
-
To understand more about the different policies that affect MFA prompts, see Optimize reauthentication prompts and understand session lifetime for Microsoft Entra multifactor authentication.
-
To learn how to move users from telecom-based methods to the Authenticator app, see How to run a registration campaign to set up Microsoft Authenticator - Microsoft Authenticator app.