Query Details

AzureAD - Basic Authentication

Azure AD Basic Auth

Query

SigninLogs
| extend IsLegacyAuth = 
case(ClientAppUsed contains "Browser", "No", 
ClientAppUsed contains "Mobile Apps and Desktop clients", "No",
ClientAppUsed contains "Exchange ActiveSync", "No",
ClientAppUsed contains "Authenticated SMTP", "Yes",
ClientAppUsed contains "Other clients", "Yes", "Unknown") 
| where IsLegacyAuth == 'Yes'
| where ResultType == 0

About this query

Explanation

The query is used to identify basic authentication activities in Azure AD. It checks the signin logs and non-interactive signin logs for activities where legacy authentication methods are used. Legacy authentication methods include browser, mobile apps and desktop clients, Exchange ActiveSync, authenticated SMTP, and other clients. The query filters the results to only include activities with a result type of 0, indicating a successful authentication. The query can be run separately for signin logs, non-interactive signin logs, or both combined.

Details

Alex Verboon profile picture

Alex Verboon

Released: September 23, 2023

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

AzureADBasic AuthenticationSigninLogsAADNonInteractiveUserSignInLogsIsLegacyAuthClientAppUsedBrowserMobile Apps and Desktop clientsExchange ActiveSyncAuthenticated SMTPOther clientsUnknownResultType

Operators

extendcasecontainswhereunionisfuzzy

Actions

GitHub