Query Details

ADFS Single-Factor Authentication - MFA Control Bypass

11 ADFS MFA Gap Single Factor

Query

ADFSSignInLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where AuthenticationRequirement == "singleFactorAuthentication"
   and  TokenIssuerType == "ADFederationServices"
| summarize
    Count     = count(),
    Apps      = make_set(AppDisplayName),
    IPs       = make_set(IPAddress),
    Countries = make_set(Location),
    FirstSeen = min(TimeGenerated),
    LastSeen  = max(TimeGenerated)
  by UserPrincipalName
| order by Count desc

Explanation

This query is designed to detect instances where users are logging into systems using Active Directory Federation Services (ADFS) with only a single factor of authentication, such as a password, when multi-factor authentication (MFA) should be required. This situation can occur due to misconfigurations or deliberate bypasses and poses a security risk as it might allow attackers to access accounts using stolen passwords.

Here's a breakdown of the query:

  • Purpose: Identify users who have successfully logged in using only a password when MFA should be enforced.
  • Data Source: It uses logs from Azure Active Directory, specifically the ADFSSignInLogs.
  • Time Frame: The query looks at logins from the past day (1 day).
  • Conditions: It filters for successful logins (ResultType == 0) where only single-factor authentication was used and the token was issued by ADFS.
  • Output: For each user, it counts the number of such logins, lists the applications accessed, IP addresses used, countries from which logins originated, and the time range of these logins.
  • Alerting: If any such logins are detected, an alert is generated with details about the user and the number of single-factor logins. The alert is classified with a medium severity level and is associated with tactics like Credential Access and Defense Evasion.
  • Incident Management: The system can create incidents based on these alerts, grouping them by user account to manage and investigate potential security breaches effectively.

Overall, this query helps identify potential security gaps in the authentication process, allowing for timely investigation and remediation.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogs

Keywords

ADFSAzureActiveDirectoryADFSSignInLogsUserAccountAppDisplayNameIPAddressLocationUserPrincipalNameTimeGenerated

Operators

|where==andsummarizecount()make_set()min()max()byorder bydesc

Severity

Medium

Tactics

CredentialAccessDefenseEvasion

MITRE Techniques

Frequency: 4h

Period: 1d

Actions

GitHub