Successful device code sign-in from unmanaged device
Successful Device Code Authentication Unmanaged Device
Query
AADSignInEventsBeta
// Filter only successful sign-ins
| where ErrorCode == 0
| where EndpointCall == "Cmsi:Cmsi"
// Filter on unmanaged devices
| where isempty(AadDeviceId)
// Optionally filter only on sign-ins with a risklevel associated with the sign-in
//| where RiskLevelDuringSignIn in(10, 50, 100)
| project-reorder TimeGenerated, AccountUpn, EndpointCall, ErrorCode, RiskLevelDuringSignIn, Application, ApplicationId, Country, IPAddressAbout this query
Explanation
This query is designed to identify successful sign-ins to your organization's Entra ID (formerly Azure AD) using device code authentication from devices that are not managed by your organization. Essentially, it helps you spot instances where someone has logged in from an unmanaged device, which could be a security risk.
Here's a simplified breakdown:
-
Purpose: The query aims to detect successful logins using device code authentication from unmanaged devices. This is important because such logins might indicate unauthorized access or a potential security threat.
-
Context: The query is associated with a specific MITRE ATT&CK technique related to phishing, specifically spearphishing links. This suggests that the query is part of a broader effort to detect and mitigate phishing attacks.
-
Risk: The main risk highlighted is that an adversary could successfully sign in to your organization using this method, potentially leading to unauthorized access to sensitive information.
-
Query Details:
- Defender XDR: This part of the query checks for successful sign-ins (where
ErrorCode == 0) using a specific endpoint call (Cmsi:Cmsi) and filters out managed devices by checking if theAadDeviceIdis empty. - Sentinel: Similarly, this part checks for successful sign-ins (
ResultType == 0) using thedeviceCodeauthentication protocol and filters out managed devices by checking ifDeviceDetail.deviceIdis empty.
- Defender XDR: This part of the query checks for successful sign-ins (where
-
Optional Filters: Both queries allow for additional filtering based on the risk level during sign-in, which can help prioritize cases that might need more immediate attention.
-
False Positives: The query notes that the Microsoft Authentication Broker application can generate false positives, so it suggests filtering out results related to this application to avoid unnecessary alerts.
Overall, this query is a tool for security teams to monitor and respond to potential unauthorized access attempts via unmanaged devices, helping to protect the organization's digital assets.
Details

Bert-Jan Pals
Released: February 19, 2025
Tables
Keywords
Operators