Azure Sentinel KQL Query to generate report of Users and Authentication Methods they have used.

Below KQL query will generate the report that generate report of Users and Authentication Methods they have used.

SigninLogs

| extend authenticationMethod_ = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod)

| extend authenticationMethodDetail_ = tostring(parse_json(AuthenticationDetails)[0].authenticationMethodDetail)

| extend authenticationStepResultDetail_ = tostring(parse_json(AuthenticationDetails)[0].authenticationStepResultDetail)

| extend authenticationStepRequirement_ = tostring(parse_json(AuthenticationDetails)[0].authenticationStepRequirement)

| extend authenticationStepDateTime_ = tostring(parse_json(AuthenticationDetails)[0].authenticationStepDateTime)

| where isnotempty(authenticationMethod_)

| project UserDisplayName, UserPrincipalName, AppDisplayName, authenticationMethod_, authenticationMethodDetail_, authenticationStepRequirement_, authenticationStepDateTime_, Status

| sort by authenticationStepDateTime_ desc