Skip to main content
All CollectionsTemplatesIntermediate
Query for user MFA fraud reports on Entra ID - Workflow Template
Query for user MFA fraud reports on Entra ID - Workflow Template

On schedule, query the Entra ID audit logs for fraud reports from users who declined an MFA request on the Microsoft Authenticator App.

Updated over 2 months ago

This Torq workflow template empowers organizations to proactively detect potential security threats by automating the monitoring of MFA fraud reports within Microsoft Entra ID. It structures a process where, on a regular schedule, the system queries Entra ID audit logs for MFA fraud reports, specifically targeting incidents where users declined MFA requests. The workflow aggregates events by user, creating a comprehensive history of attempts which is then methodically documented in a new and dedicated Torq case. This template is vital for Identity and Access Management, ensuring vigilant oversight and swift response to compromised user credentials or attempted security breaches.

Use Cases

Identity and Access Management

Workflow Breakdown

  1. Set and update a Global Variable for the time checkpoint if one does not already exist.

  2. Pull all audit logs filtered by MFA events.

  3. All events are grouped by user.

  4. Attempts history will be documented in a new Torq case.

Vendors

Utils, HTTP, Microsoft Azure AD, Microsoft 365, Torq, Torq Cases

Did this answer your question?