Successful device code sign-in
Successful Device Code Authentication
Query
IdentityLogonEvents
| where ActionType == @"LogonSuccess"
| where LogonType == @"Cmsi:Cmsi"
| extend Application = tostring(parse_json(AdditionalFields).['ARG.CLOUD_SERVICE']),
Country = geo_info_from_ip_address(IPAddress).country
| project-reorder Timestamp, AccountUpn, LogonType, ActionType, Application, IPAddress, CountryAbout this query
Explanation
This query is designed to identify successful sign-ins to an organization's Entra ID (formerly Azure Active Directory) using device code authentication. It specifically looks for logon events where the action type is "LogonSuccess" and the logon type is "Cmsi:Cmsi," which indicates device code authentication.
The query extracts additional information such as the application used for the sign-in and the country from which the sign-in originated, based on the IP address. This information is then organized in a specific order for easier analysis.
The query can be run in both Microsoft Defender XDR and Microsoft Sentinel environments, with slight differences in the timestamp field used for ordering the results.
It is important to note that if you are already ingesting AADSignInEventsBeta or SigninLogs, you should not use this query. Additionally, there is a potential for false positives from the Microsoft Authentication Broker application, which can be filtered out if necessary.
The query is relevant to the MITRE ATT&CK technique T1566.002, which involves phishing through spearphishing links. The risk associated with this query is that an adversary could potentially sign in to the organization using device code authentication, which could be part of a phishing campaign.
Details

Bert-Jan Pals
Released: February 21, 2025
Tables
Keywords
Operators