Provisioning Failure Burst - Single Job
01 AAD Prov Failure Burst
Query
AADProvisioningLogs
| where TimeGenerated > ago(1h)
| where ResultType =~ "Failure"
| extend SPName = tostring(parse_json(ServicePrincipal).Name)
| extend Source = tostring(parse_json(SourceIdentity).IdentityType)
| extend Target = tostring(parse_json(TargetIdentity).IdentityType)
| summarize
Failures = count(),
AffectedTargets = dcount(TargetIdentity),
ErrorCodes = make_set(ResultSignature, 10),
ErrorMessages = make_set(ResultDescription, 10),
Operations = make_set(OperationName, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by JobId, SPName, Source, Target
// Conservative threshold - normal retry storms rarely exceed 30/hour per job
| where Failures >= 30
| order by Failures descExplanation
This query is designed to detect unusual bursts of provisioning failures within a specific job or cycle in Azure Active Directory. Here's a simple breakdown:
-
Purpose: The query identifies a high number of provisioning failures (30 or more) within a single hour for a specific job. This could indicate potential issues such as attacks on the provisioning system, credential problems, or malicious activities.
-
Data Source: It uses logs from Azure Active Directory, specifically the
AADProvisioningLogs. -
Process:
- It looks at logs from the past hour where the result was a failure.
- It extracts and organizes information like the service principal name, source and target identities, error codes, and messages.
- It counts the number of failures and identifies unique affected targets and error details.
- It filters for jobs with 30 or more failures, which is above normal retry levels.
-
Output: The query orders the results by the number of failures, highlighting the most problematic jobs.
-
Alerting: If such a burst is detected, an alert is generated with details like the job ID, application name, and number of failures. This helps in quickly identifying and investigating potential issues.
-
Severity and Tactics: The alert is marked with medium severity and is linked to tactics like Persistence and Defense Evasion, referencing specific MITRE ATT&CK techniques.
-
Incident Management: If an incident is created, it can be grouped by cloud application, and the system is configured to handle incidents efficiently, without reopening closed ones unless necessary.
Overall, this query helps in monitoring and responding to potential security threats or system issues related to provisioning in Azure Active Directory.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 1h
Period: 1h