It seems that the authenticationDetail resource type is no longer part of the: Sign-ins - Azure AD sign-ins including conditional access policies and MFA
After researching the issue it seems only the Beta API NOT the v1.0 API has the data we want. However toggling the addon to Beta Has not affect on the log structure we still don't see authenticationDetail resource type in the logs.
Microsoft Azure Add-on for Splunk Version: 3.1.1
Splunk Enterprise 8.1
Is this a problem with the TA not having the correct python to pull the data or the MS API changing ? worked in April this year.
I was able to fix this by reinstalling the app.