ADFS Golden SAML - Unexpected Token Issuer Detected
10 ADFS Golden SAML Unknown Issuer
Query
// IMPORTANT: Replace placeholder values with your actual ADFS federation service names
let KnownADFSIssuers = dynamic([
"YOUR_ADFS_FEDERATION_SERVICE_NAME", // e.g. "adfs.contoso.com"
"urn:federation:MicrosoftOnline"
]);
ADFSSignInLogs
| where TimeGenerated > ago(4h)
| where ResultType == 0
| where TokenIssuerType == "ADFederationServices"
| where TokenIssuerName !in (KnownADFSIssuers)
and isnotempty(TokenIssuerName)
| summarize
Count = count(),
Users = make_set(UserPrincipalName),
Apps = make_set(AppDisplayName),
IPs = make_set(IPAddress),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by TokenIssuerName
| order by Count descExplanation
This query is designed to detect potential security threats related to ADFS (Active Directory Federation Services) sign-ins. Specifically, it looks for instances where the TokenIssuerName, which identifies the source of a security token, is not recognized as a legitimate federation service endpoint for the organization. This can indicate a "Golden SAML" attack, where attackers forge SAML assertions using an unauthorized issuer name.
Here's a simplified breakdown of the query:
-
Purpose: To identify suspicious ADFS sign-ins that may indicate a Golden SAML attack by checking for unrecognized token issuers.
-
Severity: High, as this is considered a critical security event.
-
Data Source: The query uses data from Azure Active Directory's ADFSSignInLogs.
-
Frequency: The query runs every 15 minutes and looks at data from the past 4 hours.
-
Logic:
- It filters sign-in logs to find successful sign-ins (ResultType == 0) where the TokenIssuerType is "ADFederationServices".
- It checks if the TokenIssuerName is not in the list of known and legitimate ADFS issuers.
- If an unknown issuer is detected, it summarizes the data, including the number of occurrences, users involved, applications accessed, IP addresses used, and the time range of the activity.
-
Output: The query orders the results by the number of occurrences and generates alerts with details about the suspicious activity, including the unknown issuer name and the number of tokens issued.
-
Action: If such an event is detected, an incident is created to alert security teams, and the details are grouped by the unknown TokenIssuerName for further investigation.
Before deploying this query, it's crucial to configure the list of known ADFS issuers to match the organization's environment to avoid false positives.
Details

David Alonso
Released: March 24, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 15m
Period: 4h