Query Details

Entra Connector Sign-in Outside Allowlisted Public IP

10 AAD Prov Sync Signin Outside Allowlist

Query

// Allowlisted Entra Connect server IPs - falls back to empty set if watchlist missing
let AllowedIPs =
    _GetWatchlist('EntraConnect_HighValueAssets')
    | where tostring(Tags) has "EntraIDConnect"
    | project IPAddress = tostring(IPAddress);
let SyncSignIns =
    union isfuzzy=true
      (SigninLogs                          | where TimeGenerated > ago(1h)),
      (AADNonInteractiveUserSignInLogs     | where TimeGenerated > ago(1h))
    | where ResultType == 0
    | where UserPrincipalName startswith "Sync_"
         or UserPrincipalName contains "DirSync"
         or UserDisplayName has "On-Premises Directory Synchronization Service Account";
SyncSignIns
| where IPAddress !in (AllowedIPs) or isempty(IPAddress)
| summarize
    SigninCount  = count(),
    Apps         = make_set(AppDisplayName, 10),
    ClientApps   = make_set(ClientAppUsed, 5),
    UserAgents   = make_set(UserAgent, 5),
    Locations    = make_set(Location, 5),
    FirstSeen    = min(TimeGenerated),
    LastSeen     = max(TimeGenerated)
  by UserPrincipalName, IPAddress
| order by SigninCount desc

Explanation

This query is designed to detect potentially unauthorized sign-ins to an Entra Connector account from IP addresses that are not on an approved list. Here's a simple breakdown:

  1. Purpose: It identifies successful sign-ins from specific synchronization accounts (like Sync_* or On-Premises Directory Synchronization Service Account) that originate from IP addresses not included in a predefined list of allowed IPs. This is important because these accounts should only sign in from specific, known IP ranges associated with the Entra Connect server.

  2. Data Sources: The query uses data from Azure Active Directory sign-in logs, specifically targeting both interactive and non-interactive sign-ins.

  3. Detection Logic:

    • It first retrieves the list of allowed IP addresses from a watchlist tagged as EntraIDConnect.
    • It then checks for any sign-ins from the specified accounts within the last hour.
    • If a sign-in comes from an IP address not on the allowed list, it is flagged as notable.
  4. Output: The query summarizes the findings, showing the number of sign-ins, the applications used, client apps, user agents, locations, and the time range of these sign-ins for each account and IP address combination.

  5. Alerting: If any unauthorized sign-ins are detected, an alert is generated with details about the account and IP address involved. The alert is categorized as high severity due to the potential security risk.

  6. Incident Management: The system is set up to create an incident for each alert, grouping related alerts by account and IP address to help with investigation.

Overall, this query helps in monitoring and securing Entra Connector accounts by ensuring they only authenticate from trusted IP addresses, thereby preventing potential misuse or configuration errors.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

EntraConnectServerIPsSigninLogsAADNon-InteractiveUserSign-InPrincipalNameDisplayIPAddressAppClientUsedAgentLocationTimeGeneratedAccount

Operators

let_GetWatchlistwheretostringhasprojectunionisfuzzyagostartswithcontainssummarizecountmake_setminmaxbyorderdesc!inisempty

Severity

High

Tactics

InitialAccessPersistence

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub