ADFS Single-Factor Authentication - MFA Control Bypass
11 ADFS MFA Gap Single Factor
Query
ADFSSignInLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where AuthenticationRequirement == "singleFactorAuthentication"
and TokenIssuerType == "ADFederationServices"
| summarize
Count = count(),
Apps = make_set(AppDisplayName),
IPs = make_set(IPAddress),
Countries = make_set(Location),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| order by Count descExplanation
This query is designed to detect instances where users are logging into systems using Active Directory Federation Services (ADFS) with only a single factor of authentication, such as a password, when multi-factor authentication (MFA) should be required. This situation can occur due to misconfigurations or deliberate bypasses and poses a security risk as it might allow attackers to access accounts using stolen passwords.
Here's a breakdown of the query:
- Purpose: Identify users who have successfully logged in using only a password when MFA should be enforced.
- Data Source: It uses logs from Azure Active Directory, specifically the ADFSSignInLogs.
- Time Frame: The query looks at logins from the past day (1 day).
- Conditions: It filters for successful logins (
ResultType == 0) where only single-factor authentication was used and the token was issued by ADFS. - Output: For each user, it counts the number of such logins, lists the applications accessed, IP addresses used, countries from which logins originated, and the time range of these logins.
- Alerting: If any such logins are detected, an alert is generated with details about the user and the number of single-factor logins. The alert is classified with a medium severity level and is associated with tactics like Credential Access and Defense Evasion.
- Incident Management: The system can create incidents based on these alerts, grouping them by user account to manage and investigate potential security breaches effectively.
Overall, this query helps identify potential security gaps in the authentication process, allowing for timely investigation and remediation.
Details

David Alonso
Released: March 24, 2026
Tables
ADFSSignInLogs
Keywords
ADFSAzureActiveDirectoryADFSSignInLogsUserAccountAppDisplayNameIPAddressLocationUserPrincipalNameTimeGenerated
Operators
|where==andsummarizecount()make_set()min()max()byorder bydesc
Severity
MediumTactics
CredentialAccessDefenseEvasion
Frequency: 4h
Period: 1d