Entra Connector Sign-in Outside Allowlisted Public IP
10 AAD Prov Sync Signin Outside Allowlist
Query
// Allowlisted Entra Connect server IPs - falls back to empty set if watchlist missing
let AllowedIPs =
_GetWatchlist('EntraConnect_HighValueAssets')
| where tostring(Tags) has "EntraIDConnect"
| project IPAddress = tostring(IPAddress);
let SyncSignIns =
union isfuzzy=true
(SigninLogs | where TimeGenerated > ago(1h)),
(AADNonInteractiveUserSignInLogs | where TimeGenerated > ago(1h))
| where ResultType == 0
| where UserPrincipalName startswith "Sync_"
or UserPrincipalName contains "DirSync"
or UserDisplayName has "On-Premises Directory Synchronization Service Account";
SyncSignIns
| where IPAddress !in (AllowedIPs) or isempty(IPAddress)
| summarize
SigninCount = count(),
Apps = make_set(AppDisplayName, 10),
ClientApps = make_set(ClientAppUsed, 5),
UserAgents = make_set(UserAgent, 5),
Locations = make_set(Location, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName, IPAddress
| order by SigninCount descExplanation
This query is designed to detect potentially unauthorized sign-ins to an Entra Connector account from IP addresses that are not on an approved list. Here's a simple breakdown:
-
Purpose: It identifies successful sign-ins from specific synchronization accounts (like
Sync_*orOn-Premises Directory Synchronization Service Account) that originate from IP addresses not included in a predefined list of allowed IPs. This is important because these accounts should only sign in from specific, known IP ranges associated with the Entra Connect server. -
Data Sources: The query uses data from Azure Active Directory sign-in logs, specifically targeting both interactive and non-interactive sign-ins.
-
Detection Logic:
- It first retrieves the list of allowed IP addresses from a watchlist tagged as
EntraIDConnect. - It then checks for any sign-ins from the specified accounts within the last hour.
- If a sign-in comes from an IP address not on the allowed list, it is flagged as notable.
- It first retrieves the list of allowed IP addresses from a watchlist tagged as
-
Output: The query summarizes the findings, showing the number of sign-ins, the applications used, client apps, user agents, locations, and the time range of these sign-ins for each account and IP address combination.
-
Alerting: If any unauthorized sign-ins are detected, an alert is generated with details about the account and IP address involved. The alert is categorized as high severity due to the potential security risk.
-
Incident Management: The system is set up to create an incident for each alert, grouping related alerts by account and IP address to help with investigation.
Overall, this query helps in monitoring and securing Entra Connector accounts by ensuring they only authenticate from trusted IP addresses, thereby preventing potential misuse or configuration errors.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1h