Unusual Azure AD Conditional Access Failures
Unusual AAD Conditional Access Failures
Query
BehaviorAnalytics
| where ActivityInsights.UnusualNumberOfAADConditionalAccessFailures == "True"
| extend UserPrincipalName = tolower(UserPrincipalName)
| join kind=inner (
union SigninLogs, AADNonInteractiveUserSignInLogs
| where ConditionalAccessStatus == "failure"
| mv-expand ConditionalAccessPolicies_dynamic
| extend ConditionalAccessResult = parse_json(ConditionalAccessPolicies_dynamic.result)
| extend ConditionalAccessName = parse_json(ConditionalAccessPolicies_dynamic.displayName)
| extend ConditionalAccessId = parse_json(ConditionalAccessPolicies_dynamic.id)
| extend ConditionalAccessEnforcedControl = parse_json(tostring(ConditionalAccessPolicies_dynamic.enforcedGrantControls))
| extend SourceIPAddress = IPAddress
| extend UserPrincipalName = tolower(UserPrincipalName)
| where ConditionalAccessResult == "failure"
| project TimeGenerated, UserDisplayName, UserPrincipalName, SourceIPAddress, tostring(ConditionalAccessName), tostring(ConditionalAccessId), tostring(ConditionalAccessResult), tostring(ConditionalAccessEnforcedControl), ResultType, ResultDescription, CorrelationId, IPAddress, AADTenantId
) on UserPrincipalName, SourceIPAddress
| distinct UserDisplayName, UserPrincipalName, ConditionalAccessName, ConditionalAccessId, ConditionalAccessEnforcedControl, ResultType, ResultDescription, CorrelationId, AADTenantId, IPAddress
| summarize count() by UserDisplayName, UserPrincipalName, ConditionalAccessName, ConditionalAccessId, ConditionalAccessEnforcedControl, ResultType, ResultDescription, AADTenantId, IPAddress
| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddressExplanation
This query is designed to identify unusual numbers of Azure AD Conditional Access failures by using Behavior Analytics information in Microsoft Sentinel. It correlates these failures with sign-in logs and provides information about the Conditional Access policy that may be blocking access. The query frequency is set to once a day, and the query period is also one day. The severity of this query is medium. The relevant techniques for this query are InitialAccess and Persistence. The query filters the BehaviorAnalytics data to find unusual numbers of Conditional Access failures, then joins it with the SigninLogs and AADNonInteractiveUserSignInLogs data. It extracts relevant information such as user details, source IP address, Conditional Access policy details, and result information. The query then summarizes the data and maps it to the Account and IP entities.
Details

Thomas Naunheim
Released: August 23, 2023
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 1d
Period: 1d