Dashboard of Windows authentication methods usage (WHfB vs password)

In this post I will show you a Log Analytics dashboard allowing you to monitor Windows authentication usage meaning if your users use WHFB or password.

Context

You have implemented Windows Hello for Business (WHfB) and want to see usage of it.

You want to see if users still use password and use passwordless solutions through WHfB.

The solution

Windows authentication logs are available in the SigninLogs table from Log Analytics.

This table contains the following information:

- Device name

- User name

- Authentication time

- Method: password or WHFB

- IP address

- Location

With a bit of KQL you can extract all content.

If you want to learn KQL, you can give a look to my book Learn KQL in one month available on Amazon here.

See more info about the book here.

The SigninLogs table contains info about the method meaning Windows Hello for Business or password.

It does not show details about WHfB authentication meaning PIN, facial recognition, fingerprint...

However I will soon a dashoard allowing to gather those info.

Get the dashboard

Click on the below GitHub picture to get the dashboard.

What does it show ?

The dashboard allows you to get the following info:

- Number of people using a password for Windows authentication

- Number of people using WHFB for Windows authentication

- Who use password vs Windows Hello for Business (WHFB)

- Who use both password and WHFB

- Usage evolution of WHFB or password over time

You can filter on:

- Device name nor user name

- Windows authentication activity (by default last 3 days)

- Show last connexion for a user vs show all connexions

You will first see some global counters as below:

Then, authentication methods count as below:

You have the same counters for Azure AD joined devices.

The next chart allows you to usage of Windows Hello over time.

You first need to choose a time range (default is last 6 months):

Then the result is displayed:

The same chart for usage of password is displayed:

This way you can see that when WHfB usage increase, the password usage decrease.

You can see list of people that used WHfB or password.

Use the Show me filter (at the top) to filter on last connexion or all connexion for users:

Add the workbook

In this part we will add the report.

The report can be downloaded on my GitHub.

The report is the file: Workbook.json

To add it, proceed as below:

1. Go to the Azure portal

2. Go to Log Analytics workspace

3. Go to workbooks

4. Click on New

5. Go to Advanced editor

6. Remove all content

7. Go to the GitHub link, there

8. Click on the copy button

9. Paste content in the workbook editor

9. Click on Apply

10. Click on Done editing then Save

To show content from your workspace a parameter must be set.

For that proceed as below:

1. Click on Edit

2. Go to the WorkspaceName parameter

3. Type the name of the workspace (the one that contains SigninLogs table)

If there is no workspace selected, you will have the below warning:

What's next ?

I will soon publish a dashboard allowing you to gather more detailed information about Windows signin.

It will show:

- Number of signin through PIN, fingerprint, facial recognition or password

- List of devices depending of signin methods