Identity Single Factor Connectionsto Azure
Query
//Find any single factor sign ins to Azure resources such as the Azure portal
//Data connector required for this query - Azure Active Directory - Signin Logs
//Microsoft Sentinel query
SigninLogs
| where TimeGenerated > ago(7d)
| where AppDisplayName has "Azure"
| where ResultType == 0
| where AuthenticationRequirement == "singleFactorAuthentication"
| summarize ['Single Factor Authentications']=make_set(UserPrincipalName) by AppDisplayName
| extend ['User Count'] = array_length(['Single Factor Authentications'])
| order by ['User Count'] desc
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting with Azure AD P2 License
AADSignInEventsBeta
| where Timestamp > ago(7d)
| where Application has "Azure"
| where ErrorCode == 0
| where LogonType == @"[""interactiveUser""]"
| where AuthenticationRequirement == "singleFactorAuthentication"
| summarize ['Single Factor Authentications']=make_set(AccountUpn) by Application
| extend ['User Count'] = array_length(['Single Factor Authentications'])
| order by ['User Count'] descExplanation
The query is looking for single factor sign-ins to Azure resources, specifically the Azure portal. It uses different data connectors depending on the query platform being used (Microsoft Sentinel or Advanced Hunting).
In the Microsoft Sentinel query:
- It filters the sign-in logs from the past 7 days.
- It further filters the logs to only include sign-ins to Azure resources with a result type of 0 (successful sign-ins).
- It narrows down the results to only include sign-ins that used single factor authentication.
- It groups the sign-ins by the application display name and counts the number of unique users.
- Finally, it orders the results by the user count in descending order.
In the Advanced Hunting query:
- It filters the sign-in events from the past 7 days.
- It further filters the events to only include sign-ins to Azure resources with an error code of 0 (successful sign-ins).
- It narrows down the results to only include sign-ins that used single factor authentication and interactive user logon type.
- It groups the sign-ins by the application name and counts the number of unique users.
- Finally, it orders the results by the user count in descending order.
Details

Matt Zorich
Released: June 17, 2022
Tables
SigninLogsAADSignInEventsBeta
Keywords
SigninLogsTimeGeneratedAppDisplayNameAzureResultTypeAuthenticationRequirementUserPrincipalNameUser Count
AADSignInEventsBetaTimestampApplicationErrorCodeLogonTypeAccountUpnUser Count
Operators
| where>agohas==summarizemake_setbyextendarray_lengthorder by