Query Details
11 ADFS MFA Gap Single Factor
Query
id: e1f2a3b4-c5d6-4e7f-8a9b-0c1d2e3f4a5b
name: ADFS Single-Factor Authentication - MFA Control Bypass
version: 1.0.0
kind: Scheduled
description: |
Detects users successfully authenticating through ADFS with only single-factor authentication
(password only) when MFA should be enforced. The pattern of singleFactorAuthentication combined
with ADFS token issuance indicates the MFA control is not being applied at the federation layer,
creating a window for attackers using stolen passwords. This may indicate misconfigured ADFS
claim rules, broken Conditional Access policies, or deliberate bypass via legacy clients.
MITRE ATT&CK: T1078 (Valid Accounts), T1556 (Modify Authentication Process)
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- ADFSSignInLogs
queryFrequency: 4h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
- DefenseEvasion
relevantTechniques:
- T1078
- T1556
query: |
ADFSSignInLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where AuthenticationRequirement == "singleFactorAuthentication"
and TokenIssuerType == "ADFederationServices"
| summarize
Count = count(),
Apps = make_set(AppDisplayName),
IPs = make_set(IPAddress),
Countries = make_set(Location),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| order by Count desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
customDetails:
SignInCount: Count
Countries: Countries
alertDetailsOverride:
alertDisplayNameFormat: "ADFS MFA Gap - {{UserPrincipalName}} authenticated with single factor"
alertDescriptionFormat: "User {{UserPrincipalName}} completed {{Count}} ADFS authentications using only single-factor authentication. MFA may not be enforced on the federation path."
alertSeverityColumnName: ""
alertTacticsColumnName: ""
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT12H
matchingMethod: AnyAlert
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect instances where users are logging into systems using Active Directory Federation Services (ADFS) with only a single factor of authentication, such as a password, when multi-factor authentication (MFA) should be required. This situation can occur due to misconfigurations or deliberate bypasses and poses a security risk as it might allow attackers to access accounts using stolen passwords.
Here's a breakdown of the query:
- Purpose: Identify users who have successfully logged in using only a password when MFA should be enforced.
- Data Source: It uses logs from Azure Active Directory, specifically the ADFSSignInLogs.
- Time Frame: The query looks at logins from the past day (1 day).
- Conditions: It filters for successful logins (
ResultType == 0) where only single-factor authentication was used and the token was issued by ADFS. - Output: For each user, it counts the number of such logins, lists the applications accessed, IP addresses used, countries from which logins originated, and the time range of these logins.
- Alerting: If any such logins are detected, an alert is generated with details about the user and the number of single-factor logins. The alert is classified with a medium severity level and is associated with tactics like Credential Access and Defense Evasion.
- Incident Management: The system can create incidents based on these alerts, grouping them by user account to manage and investigate potential security breaches effectively.
Overall, this query helps identify potential security gaps in the authentication process, allowing for timely investigation and remediation.
Details
David Alonso
Released: March 24, 2026
Tables
ADFSSignInLogs
Keywords
ADFSAzureActiveDirectoryADFSSignInLogsUserAccountAppDisplayNameIPAddressLocationUserPrincipalNameTimeGenerated
Operators
|where==andsummarizecount()make_set()min()max()byorder bydesc