<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Determine All User Login Events for Microsoft RDP (MFA) Application
Sep 11, 2025
Okta Classic Engine
Okta Identity Engine
Administration
Overview

System log query using target.id eq "<Microsoft RDP app id>" and eventType eq "user.authentication.auth_via_mfa" displays user login events for SMS_FACTOR or OKTA_SOFT_TOKEN, but not for Okta Verify push.

Applies To
  • Microsoft RDP (MFA) app
  • Remote Desktop Protocol (RDP)
  • Okta Multi-Factor Authentication (MFA) Credential Provider for Windows Agent
  • System Logs
Solution

To determine all user login events for the Microsoft RDP (MFA) application, use the following system log query: 

client.userAgent.rawUserAgent co "OktaRDPAgent" and eventType eq "user.authentication.verify"


The RawUserAgent field contains the server information to which the user logs in.

System Logs Event 

Download the syslog results as a Comma Separated Values (CSV) file and find this server information in the client.user_agent.raw_user_agent column.

Recommended content

Still looking for help?
Loading
How to Determine All User Login Events for Microsoft RDP (MFA) Application