Successful and unsuccessful multi-factor authentication events are centrally logged.

Property	Value
ISM Control	ISM-1683
Revision	2
Updated	Dec-23
Guideline	Not provided
Section	Authentication hardening
Topic	Multi-factor authentication
Essential Eight	ML2, ML3
PSPF Levels	NC, OS, P, S, TS

Summary

Centralized logging of successful and unsuccessful Microsoft Entra MFA events enables auditing, monitoring, and rapid incident response. Entra ID logs can be forwarded to a Log Analytics workspace via Diagnostic Settings for long-term retention and centralized analysis.¹²

Justification

Centralised logging of MFA events is essential for early detection of:

Credential stuffing / spray attacks — repeated authentication failures across many accounts.
MFA fatigue attacks — an attacker who already has a password repeatedly triggers push notifications hoping the user approves one.
Account compromise follow-up — successful sign-ins from impossible travel locations or anonymous IPs immediately after a failed MFA series.

Without centralised retention you have no ability to conduct retrospective forensic investigations or satisfy PSPF auditing obligations. The minimum 1-year retention (requiring Audit Premium / E5 licensing) satisfies the ISM event log requirement. For AFDA Express PSPF record-keeping obligations — typically 7 years for security administration records under class 62625 — the 10-Year Audit Log Retention per-user add-on licence is required in addition to an E5 licence.

Design Decision

[!NOTE] The 7 year retention log policy will be applied to the Microsoft 365 Unified Audit log. The 10-Year Audit Log licences will be enabled and group based assignment will be applied so that all enabled accounts automatically receive these licences, and Entra ID Diagnostic Settings will be configured to save all logs to a log analytics workspace.

Prerequisites

Permissions/Roles:
- Access to the Microsoft Entra admin center with at least the Security Administrator role to configure diagnostic settings and access log data. ¹
Dependencies:
- A Log Analytics workspace in Azure to receive and query Entra ID activity logs. ¹
- Access to Entra ID Monitoring & health > Diagnostic settings to stream selected logs to the Log Analytics workspace. ¹
- Entra logs are forwarded to a Log Analytics workspace for long-term secure retention. ²

Implementation Steps

Configure Entra ID Diagnostic Settings to Save All Logs to a Log Analytics Workspace

Sign in to the Microsoft Entra admin center as a Security Administrator. ¹
Create a Log Analytics workspace. ¹
Browse to Entra ID > Monitoring & health > Diagnostic settings. ¹
Choose the logs you want to stream, select the Send to Log Analytics workspace option, and complete the fields. ¹
Browse to Entra ID > Monitoring & health > Log Analytics and begin querying the data. ¹

Licensing and Retention Policy Guidance

License requirements for extended audit-log retention:

Retention duration	Licensing requirement
180 days (default; was 90 days before October 17, 2023)	Any Microsoft 365 subscription — Audit (Standard) included in all plans
Up to 1 year	Microsoft 365 E5 / Office 365 E5 / Microsoft 365 E5 Compliance add-on / E5 eDiscovery & Audit add-on — requires Audit (Premium)
3, 5, 7, or 10 years	Audit (Premium) (E5) plus the Microsoft Purview 10-Year Audit Log Retention per-user add-on licence

[!WARNING] E3 licensing provides Audit (Standard) only — 180-day retention maximum. E3 does not include Audit (Premium) and cannot be extended beyond 180 days without upgrading to E5 or adding the E5 Compliance / E5 eDiscovery & Audit licences.

E5 without the 10-Year add-on cannot exceed 1-year retention. The 3, 5, and 7-year retention period options in the policy UI all require the 10-Year Audit Log Retention add-on, not just the 10-year option.

Steps to configure 10-year retention:

Assign each in-scope user both a Microsoft 365 E5 (or Microsoft 365 E5 Compliance) license and the 10-Year Audit Log Retention add-on in the Microsoft 365 admin center.³
In the Microsoft Purview portal, navigate to Audit > Audit retention policies > Create audit retention policy.
Set the workload to Entra ID (or “All activities”), the users to the in-scope population, and the duration to 10 years.
Confirm the policy is Published and Active; retention only applies to events generated after the policy takes effect.³

[!IMPORTANT] Without the 10-Year add-on, the maximum selectable retention period is 1 year. The add-on is required to unlock the 3, 5, 7, and 10-year options in the policy UI. Assign the add-on licence to all in-scope users before creating the retention policy — the policy is not retroactive.

View and Query Entra ID Logs for MFA Events

Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. ⁴
Browse to Entra ID > Users from the menu on the left. ⁴
From the menu on the left, select Sign-in logs. ⁴
A list of sign-in events is shown; you can select an event to view more details. ⁴
The Authentication Details tab provides MFA related information, including authentication method details and policy triggers. ⁴

KQL queries for MFA events in Log Analytics

The SigninLogs table in Azure Log Analytics contains detailed MFA authentication data.

Successful MFA events:

SigninLogs
| where TimeGenerated >= ago(30d)
| where ResultType == 0
| where AuthenticationRequirement == "multiFactorAuthentication"
| mv-expand AuthenticationDetails = todynamic(AuthenticationDetails)
| where AuthenticationDetails.succeeded == true
| extend MFA_Method = tostring(AuthenticationDetails.authenticationMethod)
| where MFA_Method != "Previously satisfied"
| project TimeGenerated, UserPrincipalName, IPAddress, MFA_Method, Result = "Success"

Failed MFA events:

SigninLogs
| where TimeGenerated >= ago(30d)
| where ResultType != 0
| where AuthenticationRequirement == "multiFactorAuthentication"
| mv-expand AuthenticationDetails = todynamic(AuthenticationDetails)
| extend MFA_Method = tostring(AuthenticationDetails.authenticationMethod)
| extend FailureReason = tostring(ResultDescription)
| where MFA_Method != "Previously satisfied"
| project TimeGenerated, UserPrincipalName, IPAddress, MFA_Method, FailureReason, Result = "Failure"

ASD Blueprint for Authentication hardening describes design guidance for MFA deployment and long-term log retention ASD Blueprint: Authentication hardening
ASD Blueprint for Multi-factor authentication outlines Essential Eight MFA controls and deployment considerations ASD Blueprint: Multi-factor authentication
Configure Essential Eight MFA sign in logs provides guidance on logging and monitoring MFA events Configure Essential Eight MFA sign in logs
Security operations for privileged accounts in Microsoft Entra ID explains monitoring of privileged sign-ins and MFA events Security operations for privileged accounts in Microsoft Entra ID
Plan a Microsoft Entra multifactor authentication deployment covers planning, monitoring, and reporting for MFA deployment Plan a Microsoft Entra multifactor authentication deployment
Achieve ACSC Essential Eight MFA Maturity Level 2 outlines MFA requirements for maturity level 2 Achieve ACSC Essential Eight MFA Maturity Level 2

🛡️ Essential 8 Guide