Authentication Activity report

Early Access release. See Enable self-service features.

The Authentication Activity report provides a detailed view of the sign-in experience across various authenticators in your org. In addition to the MFA Activity report, the Authentication Activity report includes device and policy information for a deeper understanding of the authentication context. The report also measures phishing resistance and passwordless authentication to help you evaluate the health and maturity of the authentication activity.

Source data for this report is refreshed periodically throughout the day. There could be a delay before recent activity appears in the report.

Run the report

  1. In the Admin Console, go to ReportsReports.

  2. On the Reports page, go to Multifactor Authenticator and click Authentication Activity.

By default, the report shows events from the last 24 hours. To adjust this, click Edit Filters. You can extend the duration up to a maximum of 90 days. You can also refine the report by applying various filters:

  • App
  • Authentication
  • Device type
  • Groups
  • Managed device
  • Operating system
  • Registered device
  • User

The filter values that you provide must be a perfect string match to the report data. If you enter only the initial characters of the desired value (a prefix) your report won't be filtered correctly.

For offline analysis, click CSV Export to download the report as a CSV file.

Results

The report shows the total number of successful authentication events that occurred during the selected time frame and match the applied filter criteria. It also highlights the subsets of these events that were phishing-resistant or passwordless.

You can view the results in three charts:

  • Successful authentication over time: Tracks the volume of successful authentication events across the chosen time range.
  • Top 5 authenticators: Identifies the most frequently used combinations of authenticators for sign-in, enrollment, recovery, and account unlock actions.
  • Authentication property for the top 5 apps: Shows the characteristics (such as phishing resistance, passwordless, user presence) of authentication events associated with the top five apps in your org.

The Successful authentication events table provides granular details for every matching event, including the timestamp, username, intent, authenticators used, target, location, properties, device information (OS, registration, and management status), associated authentication policy and rules, and the event ID. The event ID link provides a trace of related events in the System Log. You can customize the visible fields in this table by clicking the gear icon.