Skip to main content
All CollectionsTemplatesIntermediate
Query for user MFA fraud reports on Entra ID - Workflow Template
Query for user MFA fraud reports on Entra ID - Workflow Template

On schedule, query the Entra ID audit logs for fraud reports from users who declined an MFA request on the Microsoft Authenticator App.

Updated over a month ago

This Torq workflow template empowers organizations to proactively detect potential security threats by automating the monitoring of MFA fraud reports within Microsoft Entra ID. It structures a process where, on a regular schedule, the system queries Entra ID audit logs for MFA fraud reports, specifically targeting incidents where users declined MFA requests. The workflow aggregates events by user, creating a comprehensive history of attempts which is then methodically documented in a new and dedicated Torq case. This template is vital for Identity and Access Management, ensuring vigilant oversight and swift response to compromised user credentials or attempted security breaches.

Take Me to the Template

Use Cases

Identity and Access Management

Workflow Breakdown

  1. Set and update a Global Variable for the time checkpoint if one does not already exist.

  2. Pull all audit logs filtered by MFA events.

  3. All events are grouped by user.

  4. Attempts history will be documented in a new Torq case.

Vendors

Utils, HTTP, Microsoft Azure AD, Microsoft 365, Torq, Torq Cases

Related Articles
Disable and Contain a Specific User in Entra ID (ex-Azure AD) - Workflow Template
Add/Remove Entra ID User from Global Address List (ex-Azure AD) - Workflow Template
Reset Direct Manager reference for an Entra ID user (ex-Azure AD) - Workflow Template
Reset Entra ID (ex-Azure AD) MFA Methods and Password on a User - Workflow Template
Verify Entra ID (ex-Azure AD) Audit Sign-Ins from Allowed Regions - Workflow Template
Did this answer your question?