In ADFS 2016 with the event 1200 in the security log you can export the authentication attempts to a text file and filter.
$evts = Get-WinEvent -FilterHashtable @{Logname='security';Id=1200}
$report = @()
$evts |% {
$activityid = $_.properties.value[0]
[XML]$XML = $_.properties.value[1]
$myObject = [PSCustomObject]@{
'Eventid' = $_.id
'AuditResult' = $xml.auditbase.AuditResult
'FailureType' =$xml.auditbase.FailureType
'ErrorCode' = $xml.auditbase.ErrorCode
'timecreated' = $_.timecreated
'ActivityId' = $activityID
'User' = $xml.auditbase.contextComponents.component[0].userid
'RelyingParty' = $xml.auditbase.contextComponents.component[0].RelyingParty
'IpAddress' = $xml.auditbase.contextComponents.component[3].IpAddress
'NetworkLocation' = $xml.auditbase.contextComponents.component[3].NetworkLocation
'MfaMethod' = $xml.auditbase.contextComponents.component[2].MfaMethod
'AuthProtocol' = $xml.auditbase.contextComponents.component[3].AuthProtocol
'UserAgentString' = $xml.auditbase.contextComponents.component[3].UserAgentString
'EndPoint' = $xml.auditbase.contextComponents.component[3].endpoint
}
$report += $myObject
}
$date = get-date -Format ("yyyy-MM-dd-")
$path = ".\" + $date + $env:computername + ".log"
$report |sort timecreated -Descending:$false |? {$_.RelyingParty -eq "urn:federation:MicrosoftOnline" -and $_.EndPoint -eq "/adfs/services/trust/2005/usernamemixed"} |export-csv -path $path -notypeinformation
#Reference: https://docs.microsoft.com/es-es/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging
Exchange, Sharepoint, Office 365 