piaudonn/MFA Enforcement Workbook.json

## MFA Enforcement Workbook.json
{
  "version": "Notebook/1.0",
  "items": [
    {
      "type": 1,
      "content": {
        "json": "# MFA Enforcement Dashboard\r\n\r\n1. Select the subscription where your workspace is.\r\n2. Select the workspace where your Entra ID Sign-In logs are.\r\n3. Select a time range (more than 14 days might take longer to display)\r\n4. Select all applications in the scope of the announcement or only specific applications.\r\n5. Display only successful connections (default) as failed connections are not indicative of actual accesses. "
      },
      "name": "TitleMd"
    },
    {
      "type": 9,
      "content": {
        "version": "KqlParameterItem/1.0",
        "crossComponentResources": [
          "{SubscriptionFilter}"
        ],
        "parameters": [
          {
            "id": "41a4872d-af4e-447b-9a01-dc72a127148b",
            "version": "KqlParameterItem/1.0",
            "name": "SubscriptionFilter",
            "label": "1. Subscription",
            "type": 6,
            "isRequired": true,
            "typeSettings": {
              "additionalResourceOptions": [],
              "includeAll": false
            },
            "timeContext": {
              "durationMs": 86400000
            },
            "value": ""
          },
          {
            "id": "27718185-ea82-45ae-968e-0c9fccd0169b",
            "version": "KqlParameterItem/1.0",
            "name": "WorkspaceFilter",
            "label": "2. Workspace",
            "type": 5,
            "isRequired": true,
            "query": "resources",
            "crossComponentResources": [
              "{SubscriptionFilter}"
            ],
            "typeSettings": {
              "resourceTypeFilter": {
                "microsoft.operationalinsights/workspaces": true
              },
              "additionalResourceOptions": [],
              "showDefault": false
            },
            "timeContext": {
              "durationMs": 86400000
            },
            "queryType": 1,
            "resourceType": "microsoft.resourcegraph/resources",
            "value": ""
          },
          {
            "id": "516c2ea5-4e6b-4b0f-8364-7bf6fc096109",
            "version": "KqlParameterItem/1.0",
            "name": "TimeRangeFilter",
            "label": "3. Time range",
            "type": 4,
            "isRequired": true,
            "typeSettings": {
              "selectableValues": [
                {
                  "durationMs": 3600000
                },
                {
                  "durationMs": 14400000
                },
                {
                  "durationMs": 86400000
                },
                {
                  "durationMs": 172800000
                },
                {
                  "durationMs": 259200000
                },
                {
                  "durationMs": 604800000
                },
                {
                  "durationMs": 1209600000
                },
                {
                  "durationMs": 2592000000
                },
                {
                  "durationMs": 5184000000
                },
                {
                  "durationMs": 7776000000
                }
              ]
            },
            "timeContext": {
              "durationMs": 86400000
            },
            "value": {
              "durationMs": 1209600000
            }
          },
          {
            "id": "d536fb11-3e5d-4a3a-9813-a840831bf6b7",
            "version": "KqlParameterItem/1.0",
            "name": "ApplicationFilter",
            "label": "4. Applications",
            "type": 2,
            "description": "Select one or more applications",
            "isRequired": true,
            "multiSelect": true,
            "quote": "'",
            "delimiter": ",",
            "typeSettings": {
              "additionalResourceOptions": [
                "value::all"
              ],
              "showDefault": false
            },
            "jsonData": "[\r\n\t{\r\n\t\t\"label\": \"Azure Portal\",\r\n\t\t\"value\": \"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\"\r\n\t},\r\n\t{\r\n\t\t\"label\": \"Microsoft Azure CLI\",\r\n\t\t\"value\": \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\"\r\n\t},\r\n\t{\r\n\t\t\"label\": \"Microsoft Azure PowerShell\",\r\n\t\t\"value\": \"1950a258-227b-4e31-a9cf-717495945fc2\"\r\n\t}\r\n]",
            "timeContext": {
              "durationMs": 86400000
            },
            "defaultValue": "value::all",
            "value": [
              "value::all"
            ]
          },
          {
            "id": "1067e214-c17c-45b4-a643-cc62f4bab93f",
            "version": "KqlParameterItem/1.0",
            "name": "SuccessFilter",
            "label": "5. Show only success",
            "type": 10,
            "isRequired": true,
            "typeSettings": {
              "additionalResourceOptions": [],
              "showDefault": false
            },
            "jsonData": "[\r\n    {\r\n        \"value\":\"All\",\r\n        \"label\":\"False\"\r\n    },\r\n    {\r\n        \"value\":\"0\",\r\n        \"label\":\"True\",\r\n        \"selected\":true\r\n    }\r\n]"
          }
        ],
        "style": "pills",
        "queryType": 1,
        "resourceType": "microsoft.resourcegraph/resources"
      },
      "customWidth": "100",
      "name": "TopParameters"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "SigninLogs\r\n| where AppId in ({ApplicationFilter})\r\n| where \"{SuccessFilter}\" == \"All\" or ResultType == \"{SuccessFilter}\" \r\n| where UserId != UserPrincipalName\r\n| summarize Total = count() by AppDisplayName",
        "size": 1,
        "timeContextFromParameter": "TimeRangeFilter",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces",
        "crossComponentResources": [
          "{WorkspaceFilter}"
        ],
        "gridSettings": {
          "formatters": [
            {
              "columnMatch": "Total",
              "formatter": 4,
              "formatOptions": {
                "palette": "blue"
              }
            }
          ],
          "labelSettings": [
            {
              "columnId": "AppDisplayName",
              "label": "Application"
            }
          ]
        }
      },
      "customWidth": "25",
      "name": "StatAppTable"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "SigninLogs\r\n| where AppId in ({ApplicationFilter})\r\n| where \"{SuccessFilter}\" == \"All\" or ResultType == \"{SuccessFilter}\" \r\n| where UserId != UserPrincipalName\r\n| summarize Total = count() by AuthenticationRequirement\r\n| extend AuthenticationRequirement = iif( AuthenticationRequirement == \"multiFactorAuthentication\", \"MFA\", \"Single Factor\")\r\n //MFA = countif( AuthenticationRequirement == \"multiFactorAuthentication\" ), SFA = countif( AuthenticationRequirement == \"singleFactorAuthentication\" )",
        "size": 1,
        "noDataMessage": "No results with this filter",
        "timeContextFromParameter": "TimeRangeFilter",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces",
        "crossComponentResources": [
          "{WorkspaceFilter}"
        ],
        "visualization": "tiles",
        "tileSettings": {
          "titleContent": {
            "columnMatch": "AuthenticationRequirement",
            "formatter": 1
          },
          "leftContent": {
            "columnMatch": "AuthenticationRequirement",
            "formatter": 18,
            "formatOptions": {
              "thresholdsOptions": "icons",
              "thresholdsGrid": [
                {
                  "operator": "==",
                  "thresholdValue": "MFA",
                  "representation": "success",
                  "text": ""
                },
                {
                  "operator": "==",
                  "thresholdValue": "Single Factor",
                  "representation": "3",
                  "text": ""
                },
                {
                  "operator": "Default",
                  "thresholdValue": null,
                  "representation": "success",
                  "text": "{0}{1}"
                }
              ]
            }
          },
          "rightContent": {
            "columnMatch": "Total",
            "formatter": 12,
            "formatOptions": {
              "palette": "none"
            },
            "numberFormat": {
              "unit": 0,
              "options": {
                "style": "decimal"
              }
            }
          },
          "showBorder": false,
          "size": "full"
        }
      },
      "customWidth": "15",
      "name": "StatsTiles"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "SigninLogs\r\n| where AppId in ({ApplicationFilter})\r\n| where \"{SuccessFilter}\" == \"All\" or ResultType == \"{SuccessFilter}\" \r\n| where UserId != UserPrincipalName\r\n| make-series Total = count() on TimeGenerated from {TimeRangeFilter:start} to {TimeRangeFilter:end} step {TimeRangeFilter:grain} by AuthenticationRequirement\r\n| extend AuthenticationRequirement = iif( AuthenticationRequirement == \"multiFactorAuthentication\", \"MFA\", \"Single Factor\")",
        "size": 1,
        "title": "MFA and Single Factor sign-ins",
        "timeContextFromParameter": "TimeRangeFilter",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces",
        "crossComponentResources": [
          "{WorkspaceFilter}"
        ],
        "visualization": "timechart",
        "chartSettings": {
          "seriesLabelSettings": [
            {
              "seriesName": "MFA",
              "color": "green"
            },
            {
              "seriesName": "Single Factor",
              "color": "red"
            }
          ]
        }
      },
      "customWidth": "60",
      "name": "StatsGraph"
    },
    {
      "type": 9,
      "content": {
        "version": "KqlParameterItem/1.0",
        "parameters": [
          {
            "id": "49c10ae1-d7e1-421e-8e2c-2d894eb75792",
            "version": "KqlParameterItem/1.0",
            "name": "MFAFilter",
            "label": "Users doing MFA ",
            "type": 10,
            "description": "Chose to display only users not using MFA to access the applications. It does not mean the user cannot do MFA.",
            "isRequired": true,
            "typeSettings": {
              "additionalResourceOptions": [],
              "showDefault": false
            },
            "jsonData": "[\r\n    {\r\n        \"value\":\"==\",\r\n        \"label\":\"Hide\"\r\n    },\r\n    {\r\n        \"value\":\">=\",\r\n        \"label\":\"Show\",\r\n        \"selected\":true\r\n    }\r\n]",
            "timeContext": {
              "durationMs": 86400000
            }
          },
          {
            "id": "eeaf1a72-7ea8-49c4-9158-c3a7551700c9",
            "version": "KqlParameterItem/1.0",
            "name": "UserFilter",
            "label": "Users filter",
            "type": 2,
            "isRequired": true,
            "multiSelect": true,
            "quote": "'",
            "delimiter": ",",
            "query": "SigninLogs\r\n| where AppId in ({ApplicationFilter})\r\n| where UserId != UserPrincipalName\r\n| where \"{SuccessFilter}\" == \"All\" or ResultType == \"{SuccessFilter}\"\r\n| distinct UserPrincipalName",
            "crossComponentResources": [
              "{WorkspaceFilter}"
            ],
            "typeSettings": {
              "additionalResourceOptions": [
                "value::all"
              ],
              "selectAllValue": "All users",
              "showDefault": false
            },
            "timeContext": {
              "durationMs": 0
            },
            "timeContextFromParameter": "TimeRangeFilter",
            "defaultValue": "value::all",
            "queryType": 0,
            "resourceType": "microsoft.operationalinsights/workspaces"
          }
        ],
        "style": "above",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "parameters - 5"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "SigninLogs\r\n| where AppId in ({ApplicationFilter})\r\n| where UserId != UserPrincipalName\r\n| where \"{SuccessFilter}\" == \"All\" or ResultType == \"{SuccessFilter}\" \r\n| where \"{UserFilter:escapejson}\" == \"All users\" or UserPrincipalName in ({UserFilter}) \r\n| make-series MFATrend = countif( AuthenticationRequirement == \"multiFactorAuthentication\" ), SFATrend = countif( AuthenticationRequirement == \"singleFactorAuthentication\" ) on TimeGenerated from {TimeRangeFilter:start} to {TimeRangeFilter:end} step {TimeRangeFilter:grain} by UserPrincipalName, UserId, IPAddress\r\n| project-away TimeGenerated\r\n| join kind=leftouter (\r\n    SigninLogs\r\n    | where AppId in ({ApplicationFilter})\r\n    | where UserId != UserPrincipalName\r\n    | where \"{SuccessFilter}\" == \"All\" or ResultType == \"{SuccessFilter}\" \r\n    | where \"{UserFilter:escapejson}\" == \"All users\" or UserPrincipalName in ({UserFilter}) \r\n    | where AuthenticationRequirement == \"multiFactorAuthentication\"\r\n    | summarize TotalMFA = count() by UserPrincipalName\r\n) on UserPrincipalName\r\n| project-away UserPrincipalName1\r\n| extend TotalMFA = iif(isnull(TotalMFA), 0, TotalMFA)\r\n| extend MFA = array_sum(MFATrend), SFA = array_sum(SFATrend), UserPrincipalName = strcat(\"👤 \", UserPrincipalName)\r\n| order by MFA desc, SFA desc\r\n| project-reorder UserPrincipalName, MFA, SFA, MFATrend, SFATrend\r\n| where (TotalMFA {MFAFilter} 0)",
        "size": 2,
        "title": "List of sign-ins by users and IPs",
        "noDataMessage": "No result with these filter criteria.",
        "timeContextFromParameter": "TimeRangeFilter",
        "exportFieldName": "UserId",
        "exportParameterName": "SelectedUserId",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces",
        "crossComponentResources": [
          "{WorkspaceFilter}"
        ],
        "gridSettings": {
          "formatters": [
            {
              "columnMatch": "$gen_group",
              "formatter": 7,
              "formatOptions": {
                "linkTarget": "OpenBlade",
                "linkIsContextBlade": true,
                "bladeOpenContext": {
                  "bladeName": "UserProfileMenuBlade",
                  "extensionName": "Microsoft_AAD_UsersAndTenants",
                  "bladeJsonParameters": "{\r\n  \"menuId\": \"UserAuthMethods\",\r\n  \"userId\": \"{SelectedUserId}\",\r\n  \"hidePreviewBanner~\": true\r\n}"
                }
              }
            },
            {
              "columnMatch": "UserPrincipalName",
              "formatter": 5,
              "formatOptions": {
                "linkTarget": "OpenBlade",
                "linkIsContextBlade": true,
                "bladeOpenContext": {
                  "bladeName": "UserProfileMenuBlade",
                  "extensionName": "Microsoft_AAD_UsersAndTenants",
                  "bladeJsonParameters": "{\n  \"menuId\": \"UserAuthMethods\",\n  \"userId\": \"{SelectedUserId}\",\n  \"hidePreviewBanner~\": true\n}"
                }
              }
            },
            {
              "columnMatch": "MFA",
              "formatter": 0,
              "formatOptions": {
                "aggregation": "Sum"
              }
            },
            {
              "columnMatch": "SFA",
              "formatter": 0,
              "formatOptions": {
                "aggregation": "Sum"
              }
            },
            {
              "columnMatch": "MFATrend",
              "formatter": 21,
              "formatOptions": {
                "palette": "green",
                "aggregation": "Sum"
              }
            },
            {
              "columnMatch": "SFATrend",
              "formatter": 21,
              "formatOptions": {
                "palette": "red",
                "aggregation": "Sum"
              }
            },
            {
              "columnMatch": "UserId",
              "formatter": 5
            },
            {
              "columnMatch": "IPAddress",
              "formatter": 5
            },
            {
              "columnMatch": "TotalMFA",
              "formatter": 5
            }
          ],
          "rowLimit": 500,
          "hierarchySettings": {
            "treeType": 1,
            "groupBy": [
              "UserPrincipalName",
              "IPAddress"
            ]
          },
          "labelSettings": [
            {
              "columnId": "MFA",
              "label": "MFA"
            },
            {
              "columnId": "SFA",
              "label": "Single factor"
            },
            {
              "columnId": "MFATrend",
              "label": "MFA sign-in history"
            },
            {
              "columnId": "SFATrend",
              "label": "Single factor sign-in history"
            }
          ]
        },
        "sortBy": []
      },
      "name": "UserTable"
    }
  ],
  "fallbackResourceIds": [
    "Azure Monitor"
  ],
  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
	{
	"version": "Notebook/1.0",
	"items": [
	{
	"type": 1,
	"content": {
	"json": "# MFA Enforcement Dashboard\r\n\r\n1. Select the subscription where your workspace is.\r\n2. Select the workspace where your Entra ID Sign-In logs are.\r\n3. Select a time range (more than 14 days might take longer to display)\r\n4. Select all applications in the scope of the announcement or only specific applications.\r\n5. Display only successful connections (default) as failed connections are not indicative of actual accesses. "
	},
	"name": "TitleMd"
	},
	{
	"type": 9,
	"content": {
	"version": "KqlParameterItem/1.0",
	"crossComponentResources": [
	"{SubscriptionFilter}"
	],
	"parameters": [
	{
	"id": "41a4872d-af4e-447b-9a01-dc72a127148b",
	"version": "KqlParameterItem/1.0",
	"name": "SubscriptionFilter",
	"label": "1. Subscription",
	"type": 6,
	"isRequired": true,
	"typeSettings": {
	"additionalResourceOptions": [],
	"includeAll": false
	},
	"timeContext": {
	"durationMs": 86400000
	},
	"value": ""
	},
	{
	"id": "27718185-ea82-45ae-968e-0c9fccd0169b",
	"version": "KqlParameterItem/1.0",
	"name": "WorkspaceFilter",
	"label": "2. Workspace",
	"type": 5,
	"isRequired": true,
	"query": "resources",
	"crossComponentResources": [
	"{SubscriptionFilter}"
	],
	"typeSettings": {
	"resourceTypeFilter": {
	"microsoft.operationalinsights/workspaces": true
	},
	"additionalResourceOptions": [],
	"showDefault": false
	},
	"timeContext": {
	"durationMs": 86400000
	},
	"queryType": 1,
	"resourceType": "microsoft.resourcegraph/resources",
	"value": ""
	},
	{
	"id": "516c2ea5-4e6b-4b0f-8364-7bf6fc096109",
	"version": "KqlParameterItem/1.0",
	"name": "TimeRangeFilter",
	"label": "3. Time range",
	"type": 4,
	"isRequired": true,
	"typeSettings": {
	"selectableValues": [
	{
	"durationMs": 3600000
	},
	{
	"durationMs": 14400000
	},
	{
	"durationMs": 86400000
	},
	{
	"durationMs": 172800000
	},
	{
	"durationMs": 259200000
	},
	{
	"durationMs": 604800000
	},
	{
	"durationMs": 1209600000
	},
	{
	"durationMs": 2592000000
	},
	{
	"durationMs": 5184000000
	},
	{
	"durationMs": 7776000000
	}
	]
	},
	"timeContext": {
	"durationMs": 86400000
	},
	"value": {
	"durationMs": 1209600000
	}
	},
	{
	"id": "d536fb11-3e5d-4a3a-9813-a840831bf6b7",
	"version": "KqlParameterItem/1.0",
	"name": "ApplicationFilter",
	"label": "4. Applications",
	"type": 2,
	"description": "Select one or more applications",
	"isRequired": true,
	"multiSelect": true,
	"quote": "'",
	"delimiter": ",",
	"typeSettings": {
	"additionalResourceOptions": [
	"value::all"
	],
	"showDefault": false
	},
	"jsonData": "[\r\n\t{\r\n\t\t\"label\": \"Azure Portal\",\r\n\t\t\"value\": \"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\"\r\n\t},\r\n\t{\r\n\t\t\"label\": \"Microsoft Azure CLI\",\r\n\t\t\"value\": \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\"\r\n\t},\r\n\t{\r\n\t\t\"label\": \"Microsoft Azure PowerShell\",\r\n\t\t\"value\": \"1950a258-227b-4e31-a9cf-717495945fc2\"\r\n\t}\r\n]",
	"timeContext": {
	"durationMs": 86400000
	},
	"defaultValue": "value::all",
	"value": [
	"value::all"
	]
	},
	{
	"id": "1067e214-c17c-45b4-a643-cc62f4bab93f",
	"version": "KqlParameterItem/1.0",
	"name": "SuccessFilter",
	"label": "5. Show only success",
	"type": 10,
	"isRequired": true,
	"typeSettings": {
	"additionalResourceOptions": [],
	"showDefault": false
	},
	"jsonData": "[\r\n {\r\n \"value\":\"All\",\r\n \"label\":\"False\"\r\n },\r\n {\r\n \"value\":\"0\",\r\n \"label\":\"True\",\r\n \"selected\":true\r\n }\r\n]"
	}
	],
	"style": "pills",
	"queryType": 1,
	"resourceType": "microsoft.resourcegraph/resources"
	},
	"customWidth": "100",
	"name": "TopParameters"
	},
	{
	"type": 3,
	"content": {
	"version": "KqlItem/1.0",
	"query": "SigninLogs\r\n\| where AppId in ({ApplicationFilter})\r\n\| where \"{SuccessFilter}\" == \"All\" or ResultType == \"{SuccessFilter}\" \r\n\| where UserId != UserPrincipalName\r\n\| summarize Total = count() by AppDisplayName",
	"size": 1,
	"timeContextFromParameter": "TimeRangeFilter",
	"queryType": 0,
	"resourceType": "microsoft.operationalinsights/workspaces",
	"crossComponentResources": [
	"{WorkspaceFilter}"
	],
	"gridSettings": {
	"formatters": [
	{
	"columnMatch": "Total",
	"formatter": 4,
	"formatOptions": {
	"palette": "blue"
	}
	}
	],
	"labelSettings": [
	{
	"columnId": "AppDisplayName",
	"label": "Application"
	}
	]
	}
	},
	"customWidth": "25",
	"name": "StatAppTable"
	},
	{
	"type": 3,
	"content": {
	"version": "KqlItem/1.0",
	"query": "SigninLogs\r\n\| where AppId in ({ApplicationFilter})\r\n\| where \"{SuccessFilter}\" == \"All\" or ResultType == \"{SuccessFilter}\" \r\n\| where UserId != UserPrincipalName\r\n\| summarize Total = count() by AuthenticationRequirement\r\n\| extend AuthenticationRequirement = iif( AuthenticationRequirement == \"multiFactorAuthentication\", \"MFA\", \"Single Factor\")\r\n //MFA = countif( AuthenticationRequirement == \"multiFactorAuthentication\" ), SFA = countif( AuthenticationRequirement == \"singleFactorAuthentication\" )",
	"size": 1,
	"noDataMessage": "No results with this filter",
	"timeContextFromParameter": "TimeRangeFilter",
	"queryType": 0,
	"resourceType": "microsoft.operationalinsights/workspaces",
	"crossComponentResources": [
	"{WorkspaceFilter}"
	],
	"visualization": "tiles",
	"tileSettings": {
	"titleContent": {
	"columnMatch": "AuthenticationRequirement",
	"formatter": 1
	},
	"leftContent": {
	"columnMatch": "AuthenticationRequirement",
	"formatter": 18,
	"formatOptions": {
	"thresholdsOptions": "icons",
	"thresholdsGrid": [
	{
	"operator": "==",
	"thresholdValue": "MFA",
	"representation": "success",
	"text": ""
	},
	{
	"operator": "==",
	"thresholdValue": "Single Factor",
	"representation": "3",
	"text": ""
	},
	{
	"operator": "Default",
	"thresholdValue": null,
	"representation": "success",
	"text": "{0}{1}"
	}
	]
	}
	},
	"rightContent": {
	"columnMatch": "Total",
	"formatter": 12,
	"formatOptions": {
	"palette": "none"
	},
	"numberFormat": {
	"unit": 0,
	"options": {
	"style": "decimal"
	}
	}
	},
	"showBorder": false,
	"size": "full"
	}
	},
	"customWidth": "15",
	"name": "StatsTiles"
	},
	{
	"type": 3,
	"content": {
	"version": "KqlItem/1.0",
	"query": "SigninLogs\r\n\| where AppId in ({ApplicationFilter})\r\n\| where \"{SuccessFilter}\" == \"All\" or ResultType == \"{SuccessFilter}\" \r\n\| where UserId != UserPrincipalName\r\n\| make-series Total = count() on TimeGenerated from {TimeRangeFilter:start} to {TimeRangeFilter:end} step {TimeRangeFilter:grain} by AuthenticationRequirement\r\n\| extend AuthenticationRequirement = iif( AuthenticationRequirement == \"multiFactorAuthentication\", \"MFA\", \"Single Factor\")",
	"size": 1,
	"title": "MFA and Single Factor sign-ins",
	"timeContextFromParameter": "TimeRangeFilter",
	"queryType": 0,
	"resourceType": "microsoft.operationalinsights/workspaces",
	"crossComponentResources": [
	"{WorkspaceFilter}"
	],
	"visualization": "timechart",
	"chartSettings": {
	"seriesLabelSettings": [
	{
	"seriesName": "MFA",
	"color": "green"
	},
	{
	"seriesName": "Single Factor",
	"color": "red"
	}
	]
	}
	},
	"customWidth": "60",
	"name": "StatsGraph"
	},
	{
	"type": 9,
	"content": {
	"version": "KqlParameterItem/1.0",
	"parameters": [
	{
	"id": "49c10ae1-d7e1-421e-8e2c-2d894eb75792",
	"version": "KqlParameterItem/1.0",
	"name": "MFAFilter",
	"label": "Users doing MFA ",
	"type": 10,
	"description": "Chose to display only users not using MFA to access the applications. It does not mean the user cannot do MFA.",
	"isRequired": true,
	"typeSettings": {
	"additionalResourceOptions": [],
	"showDefault": false
	},
	"jsonData": "[\r\n {\r\n \"value\":\"==\",\r\n \"label\":\"Hide\"\r\n },\r\n {\r\n \"value\":\">=\",\r\n \"label\":\"Show\",\r\n \"selected\":true\r\n }\r\n]",
	"timeContext": {
	"durationMs": 86400000
	}
	},
	{
	"id": "eeaf1a72-7ea8-49c4-9158-c3a7551700c9",
	"version": "KqlParameterItem/1.0",
	"name": "UserFilter",
	"label": "Users filter",
	"type": 2,
	"isRequired": true,
	"multiSelect": true,
	"quote": "'",
	"delimiter": ",",
	"query": "SigninLogs\r\n\| where AppId in ({ApplicationFilter})\r\n\| where UserId != UserPrincipalName\r\n\| where \"{SuccessFilter}\" == \"All\" or ResultType == \"{SuccessFilter}\"\r\n\| distinct UserPrincipalName",
	"crossComponentResources": [
	"{WorkspaceFilter}"
	],
	"typeSettings": {
	"additionalResourceOptions": [
	"value::all"
	],
	"selectAllValue": "All users",
	"showDefault": false
	},
	"timeContext": {
	"durationMs": 0
	},
	"timeContextFromParameter": "TimeRangeFilter",
	"defaultValue": "value::all",
	"queryType": 0,
	"resourceType": "microsoft.operationalinsights/workspaces"
	}
	],
	"style": "above",
	"queryType": 0,
	"resourceType": "microsoft.operationalinsights/workspaces"
	},
	"name": "parameters - 5"
	},
	{
	"type": 3,
	"content": {
	"version": "KqlItem/1.0",
	"query": "SigninLogs\r\n\| where AppId in ({ApplicationFilter})\r\n\| where UserId != UserPrincipalName\r\n\| where \"{SuccessFilter}\" == \"All\" or ResultType == \"{SuccessFilter}\" \r\n\| where \"{UserFilter:escapejson}\" == \"All users\" or UserPrincipalName in ({UserFilter}) \r\n\| make-series MFATrend = countif( AuthenticationRequirement == \"multiFactorAuthentication\" ), SFATrend = countif( AuthenticationRequirement == \"singleFactorAuthentication\" ) on TimeGenerated from {TimeRangeFilter:start} to {TimeRangeFilter:end} step {TimeRangeFilter:grain} by UserPrincipalName, UserId, IPAddress\r\n\| project-away TimeGenerated\r\n\| join kind=leftouter (\r\n SigninLogs\r\n \| where AppId in ({ApplicationFilter})\r\n \| where UserId != UserPrincipalName\r\n \| where \"{SuccessFilter}\" == \"All\" or ResultType == \"{SuccessFilter}\" \r\n \| where \"{UserFilter:escapejson}\" == \"All users\" or UserPrincipalName in ({UserFilter}) \r\n \| where AuthenticationRequirement == \"multiFactorAuthentication\"\r\n \| summarize TotalMFA = count() by UserPrincipalName\r\n) on UserPrincipalName\r\n\| project-away UserPrincipalName1\r\n\| extend TotalMFA = iif(isnull(TotalMFA), 0, TotalMFA)\r\n\| extend MFA = array_sum(MFATrend), SFA = array_sum(SFATrend), UserPrincipalName = strcat(\"👤 \", UserPrincipalName)\r\n\| order by MFA desc, SFA desc\r\n\| project-reorder UserPrincipalName, MFA, SFA, MFATrend, SFATrend\r\n\| where (TotalMFA {MFAFilter} 0)",
	"size": 2,
	"title": "List of sign-ins by users and IPs",
	"noDataMessage": "No result with these filter criteria.",
	"timeContextFromParameter": "TimeRangeFilter",
	"exportFieldName": "UserId",
	"exportParameterName": "SelectedUserId",
	"queryType": 0,
	"resourceType": "microsoft.operationalinsights/workspaces",
	"crossComponentResources": [
	"{WorkspaceFilter}"
	],
	"gridSettings": {
	"formatters": [
	{
	"columnMatch": "$gen_group",
	"formatter": 7,
	"formatOptions": {
	"linkTarget": "OpenBlade",
	"linkIsContextBlade": true,
	"bladeOpenContext": {
	"bladeName": "UserProfileMenuBlade",
	"extensionName": "Microsoft_AAD_UsersAndTenants",
	"bladeJsonParameters": "{\r\n \"menuId\": \"UserAuthMethods\",\r\n \"userId\": \"{SelectedUserId}\",\r\n \"hidePreviewBanner~\": true\r\n}"
	}
	}
	},
	{
	"columnMatch": "UserPrincipalName",
	"formatter": 5,
	"formatOptions": {
	"linkTarget": "OpenBlade",
	"linkIsContextBlade": true,
	"bladeOpenContext": {
	"bladeName": "UserProfileMenuBlade",
	"extensionName": "Microsoft_AAD_UsersAndTenants",
	"bladeJsonParameters": "{\n \"menuId\": \"UserAuthMethods\",\n \"userId\": \"{SelectedUserId}\",\n \"hidePreviewBanner~\": true\n}"
	}
	}
	},
	{
	"columnMatch": "MFA",
	"formatter": 0,
	"formatOptions": {
	"aggregation": "Sum"
	}
	},
	{
	"columnMatch": "SFA",
	"formatter": 0,
	"formatOptions": {
	"aggregation": "Sum"
	}
	},
	{
	"columnMatch": "MFATrend",
	"formatter": 21,
	"formatOptions": {
	"palette": "green",
	"aggregation": "Sum"
	}
	},
	{
	"columnMatch": "SFATrend",
	"formatter": 21,
	"formatOptions": {
	"palette": "red",
	"aggregation": "Sum"
	}
	},
	{
	"columnMatch": "UserId",
	"formatter": 5
	},
	{
	"columnMatch": "IPAddress",
	"formatter": 5
	},
	{
	"columnMatch": "TotalMFA",
	"formatter": 5
	}
	],
	"rowLimit": 500,
	"hierarchySettings": {
	"treeType": 1,
	"groupBy": [
	"UserPrincipalName",
	"IPAddress"
	]
	},
	"labelSettings": [
	{
	"columnId": "MFA",
	"label": "MFA"
	},
	{
	"columnId": "SFA",
	"label": "Single factor"
	},
	{
	"columnId": "MFATrend",
	"label": "MFA sign-in history"
	},
	{
	"columnId": "SFATrend",
	"label": "Single factor sign-in history"
	}
	]
	},
	"sortBy": []
	},
	"name": "UserTable"
	}
	],
	"fallbackResourceIds": [
	"Azure Monitor"
	],
	"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
	}
No results found