Sign-in activity from external/internal privileged user without MFA claim in the token.
Sign In From External Privileged User Without MFA Claim
Query
// Get a list of all active/permanent directory role members of the last 14 days
let AdminsWithEntraIdRoles = IdentityInfo
| where TimeGenerated >ago(14d)
| where isnotempty(AssignedRoles) and AssignedRoles != "[]"
| summarize by AccountUPN;
// Get a list of all privileged users by RegEx
let adminAccountRegex = toscalar(_GetWatchlist('wl_sentinel_AdminRegex') | project Regex);
let AdminAccounts = IdentityInfo
| where TimeGenerated >ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| where AccountUPN matches regex adminAccountRegex
| summarize by AccountUPN;
// combine Admins
let AllAdmins = union AdminAccounts, AdminsWithEntraIdRoles | summarize by AccountUPN;
// combine Logs
union AADNonInteractiveUserSignInLogs, SigninLogs
| where ResultType == "0" and UserPrincipalName in~ (AdminAccounts)
// Sign-in to the tenant which is running the query
| where AADTenantId == ResourceTenantId
| where TimeGenerated >ago(1h)
| extend Status = iff(isempty( Status_dynamic ), todynamic(Status_string), Status_dynamic)
// Exclude Windows Sign-in, Registration Client and Microsoft Authentication Broker
| where AppId !in ("29d9ed98-a469-4536-ade2-f981bc1d605e", "38aa3b87-a06d-4817-b275-7a316988d93b", "dd762716-544d-4aeb-a526-687b73838a22")
| where not(Status.additionalDetails has_any("MFA completed in Azure AD", "MFA requirement satisfied by"))
// adjust AlertName to include User type (Internal/External)
| extend AlertName = iff( (HomeTenantId == ResourceTenantId) , "Sign-in activity from privileged user without MFA claim in the token", "Sign-in activity from (external) privileged user without MFA claim in the token")
| project TimeGenerated, AlertName, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, CorrelationId, HomeTenantId, AppDisplayNameExplanation
This query is designed to monitor Azure Active Directory sign-in events to detect privileged users who are accessing resources without Multi-Factor Authentication (MFA) being satisfied in their token claims. Here's a simplified breakdown of what the query does:
-
Identify Privileged Users:
- It creates a list of privileged users by checking for directory role members from the last 14 days and using a regular expression to identify users with admin-like account names from a predefined watchlist.
-
Combine Admin Lists:
- It merges the lists of privileged users identified from directory roles and the watchlist.
-
Analyze Sign-in Logs:
- It examines sign-in logs from the past hour for these privileged users.
- It filters out sign-ins that were successful (ResultType "0") and occurred within the same tenant running the query.
- It excludes certain applications (like Windows Sign-in and Microsoft Authentication Broker) from the analysis.
-
Check for MFA Claims:
- It specifically looks for sign-ins where MFA was not completed or required, as indicated by the absence of specific details in the status.
-
Generate Alerts:
- It creates alerts for these sign-in activities, distinguishing between internal and external users based on whether the home tenant matches the resource tenant.
-
Alert Details:
- The alert includes details such as the time of the event, user principal name, IP address, correlation ID, home tenant ID, and application display name.
The query is scheduled to run every hour, analyzing data from the past 14 days, and triggers an alert if any such sign-in activities are detected. The severity of the alert is set to medium, and it is associated with the "Initial Access" tactic and the "T1078" technique.
Details

Thomas Naunheim
Released: February 9, 2024
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques
Frequency: 1h
Period: 14d