Problem statement
When using Bulk User Exports and sorting by last_login, the count of users that have logged in during a given month is far less than the MAU count retrieved with the Auth0 Management API v2 endpoint for the same month.
Why does the quota link return different results compared to bulk-user exports?
Cause
The bulk-user-export endpoint retrieves the users for a determined database connection whithin the tenant specified in the request.
If you are retrieving only the users for one of your Databases, you are missing the users that may be in other Databases in your tenant and logged in that same month.
Solution
Using the bulk-export-users is not the most practical way for auditing your External Active Users.
To obtain this information, you can always use the Quota Utilization reports shown in the Support Center or the get_active_users endpoint of the Management API (Auth0 Management API v2).
For MAU, we don’t count the number of logins but rather active usage. The most important measure of usage is the number of active users. We consider a user to be active in a given month if they have generated a log of user activity with its user_id. Each tenant this user logs into will result in a new user profile with a unique user_id on the respective tenant.
To count the MAUs, you should query tenant logs for successful login events.
Auth0 MAU usage calculation also includes, for instance, Refresh Token as a log of user activity. The successful exchange of Refresh Token for Access Token is a successful authentication event. So the following log event types would be considered successful login authentication:
s: Successful login
sepft: Successful exchange of password for token
ssa: Successful silent authentication
seoobft: Successful exchange of Password and OOB Challenge for Access Token
seotpft: Successful exchange of Password and OTP Challenge for Access Token
sercft: Successful exchange of Password and MFA Recovery code for Access Token
sertft: Successful exchange of Refresh Token for Access Token
seacft: Successful exchange of authorization code for Access Token
scoa: Success cross-origin authentication
sens: Successful native social exchange
Although, you will be limited by the log retention period for your tenant.
In this case, using a Log Streaming service could help you build your way of presenting this data over the long term, but that would require manual setup. More information about Log Streaming is available here: Log Streams.