<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

How to Determine All User Login Events for Microsoft RDP (MFA) Application

Okta Classic Engine
Okta Identity Engine
Administration

Overview

System log query using target.id eq "<Microsoft RDP app id>" and eventType eq "user.authentication.auth_via_mfa" displays user login events for SMS_FACTOR or OKTA_SOFT_TOKEN, but not for Okta Verify push.

Applies To

  • Microsoft RDP (MFA) app
  • Remote Desktop Protocol (RDP)
  • Okta Multi-Factor Authentication (MFA) Credential Provider for Windows Agent
  • System Logs

Solution

To determine all user login events for the Microsoft RDP (MFA) application, use the following system log query: 

client.userAgent.rawUserAgent co "OktaRDPAgent" and eventType eq "user.authentication.verify"


The RawUserAgent field contains the server information to which the user logs in.

System Logs Event 

Download the syslog results as a Comma Separated Values (CSV) file and find this server information in the client.user_agent.raw_user_agent column.

Loading
Okta Support - How to Determine All User Login Events for Microsoft RDP (MFA) Application