Microsoft Azure Add on for Splunk 3.1.1 - authenti...

All Apps and Add-ons

It looks to be that in version 3.1.1 the defaults for AAD Sign Ins swaps away from BETA --> 1.0 which looks to not be providing authentication_method (MFA/2FA) information.

This default change in behaviour can be seen in this file 'input_module_MS_AAD_signins.py'

BEFORE:
url = graph_base_url + "/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+%s+and+createdDateTime+le+%s" % (query_date, end_date.strftime('%Y-%m-%dT%H:%M:%S.%fZ'))

AFTER:
url = graph_base_url + "/%s/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+%s+and+createdDateTime+le+%s" % (endpoint, query_date, end_date.strftime('%Y-%m-%dT%H:%M:%S.%fZ'))

For anyone who really needs/wants authentication_method information I strongly encourage you to back to your INPUTS and change the dropdown back to BETA.

These seem to have been dropped by MS in v1 . unless BETA is ahead .. in which case they will be and all that is required is to change the INPUT

Get Updates on the Splunk Community!

Microsoft Azure Add on for Splunk 3.1.1 - authentication_method

troubleshooting

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Are you a member of the Splunk Community?

Microsoft Azure Add on for Splunk 3.1.1 - authentication_method

troubleshooting

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025