reports-clarify-mfa-031723

shlipsey3 · shlipsey3 · commit 80a571155ecf · 2023-03-17T11:32:51.000-07:00
diff --git a/articles/active-directory/reports-monitoring/concept-all-sign-ins.md b/articles/active-directory/reports-monitoring/concept-all-sign-ins.md
@@ -1,14 +1,14 @@
 ---
-title: Sign-in logs (preview) in Azure Active Directory
-description: Conceptual information about Azure AD sign-in logs, including new features in preview. 
+title: Sign-in logs (preview)
+description: Conceptual information about sign-in logs, including new features in preview. 
 services: active-directory
 author: shlipsey3
 manager: amycolannino
 ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 01/12/2023
+ms.date: 03/17/2023
 ms.author: sarahlipsey
 ms.reviewer: besiler
 ms.collection: M365-identity-device-management
@@ -105,6 +105,10 @@ You can customize the list view by clicking **Columns** in the toolbar.
 
 ![Screenshot customize columns button.](./media/concept-all-sign-ins/sign-in-logs-columns-preview.png)
 
+#### Considerations for MFA sign-ins
+
+When a user signs in with MFA, several separate MFA events are actually taking place. For example, if a user takes 10 minutes to complete the MFA sign-in, additional MFA events are sent to reflect the latest status of the sign-in attempt. These sign-in events appear as one line item in the Azure AD sign-in logs. That same sign-in event in Azure Monitor, however, appears as multiple line items. These events will all have the same `correlationId`.
+
 ### Non-interactive user sign-ins
 
 Like interactive user sign-ins, non-interactive sign-ins are done on behalf of a user. These sign-ins were performed by a client app or OS components on behalf of a user and don't require the user to provide an authentication factor. Instead, the device or client app uses a token or code to authenticate or access a resource on behalf of a user. In general, the user will perceive these sign-ins as happening in the background.
diff --git a/articles/active-directory/reports-monitoring/concept-sign-ins.md b/articles/active-directory/reports-monitoring/concept-sign-ins.md
@@ -159,6 +159,10 @@ When analyzing authentication details, take note of the following details:
     - The **Primary authentication** row isn't initially logged.
 - If you're unsure of a detail in the logs, gather the **Request ID** and **Correlation ID** to use for further analyzing or troubleshooting.
 
+#### Considerations for MFA sign-ins
+
+When a user signs in with MFA, several separate MFA events are actually taking place. For example, if a user takes 10 minutes to complete the MFA sign-in, additional MFA events are sent to reflect the latest status of the sign-in attempt. These sign-in events appear as one line item in the Azure AD sign-in logs. That same sign-in event in Azure Monitor, however, appears as multiple line items. These events will all have the same `correlationId`.
+
 ## Sign-in data used by other services
 
 Sign-in data is used by several services in Azure to monitor risky sign-ins and provide insight into application usage. 
