Query Details

Interactive / Browser Sign-in by Sync Service Account

14 AAD Prov Sync Account Interactive Signin

Query

SigninLogs
| extend IPAddress = tostring(IPAddress)
| invoke ExcludeAllowlistedIPs()
| where TimeGenerated > ago(1h)
| where ResultType == 0
| where UserPrincipalName startswith "Sync_"
     or UserPrincipalName contains "DirSync"
     or UserDisplayName has "On-Premises Directory Synchronization Service Account"
// High-fidelity signals only: real interactive browser sign-in, or a
// first-party admin surface app. "Mobile Apps and Desktop clients" is
// intentionally excluded - the sync service itself authenticates via that
// class for non-interactive token refresh and would generate FPs.
| where ClientAppUsed == "Browser"
     or AppDisplayName in~ (
          "Microsoft Azure portal",
          "Microsoft Graph PowerShell",
          "Microsoft Graph Explorer",
          "Azure Active Directory PowerShell",
          "Azure CLI",
          "Microsoft Azure CLI"
      )
| project TimeGenerated, UserPrincipalName, IPAddress, Location,
          AppDisplayName, ClientAppUsed, UserAgent, ConditionalAccessStatus,
          CorrelationId, ResultType
| order by TimeGenerated desc

Explanation

This query is designed to detect suspicious sign-in activities involving Entra Connector accounts, which are typically used for directory synchronization. Here's a simplified breakdown:

  1. Purpose: The query identifies instances where a synchronization account (like Sync_* or On-Premises Directory Synchronization Service Account) signs in interactively or uses a browser. These accounts should only perform non-interactive tasks, so interactive or browser-based sign-ins are considered suspicious.

  2. Why It Matters: Such sign-ins could indicate that an attacker has stolen the sync account credentials and is using them manually to access Azure services, which is a security risk.

  3. Detection Method:

    • The query checks the SigninLogs for the past hour.
    • It filters out sign-ins from allowlisted IPs.
    • It looks for successful sign-ins (ResultType == 0) by accounts with names starting with "Sync_" or containing "DirSync".
    • It specifically checks for sign-ins using a browser or certain administrative applications like the Azure portal or Azure CLI.
  4. Response: If such an activity is detected, an alert is generated with details like the time, user account, IP address, and application used. The alert suggests possible credential theft and is classified as high severity.

  5. Additional Features:

    • The query runs every hour.
    • It creates incidents for detected activities, grouping them by account for better management.
    • It aligns with specific MITRE ATT&CK techniques related to unauthorized account access and credential theft.

Overall, this query helps security teams quickly identify and respond to potential security breaches involving synchronization accounts.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

SigninLogs

Keywords

SigninLogsEntraConnectorAccountAzureActiveDirectoryMicrosoftAzurePortalMicrosoftGraphPowerShellMicrosoftGraphExplorerAzureActiveDirectoryPowerShellAzureCLIMicrosoftAzureCLIUserPrincipalNameIPAddressLocationAppDisplayNameClientAppUsedUserAgentConditionalAccessStatusCorrelationIdResultType

Operators

extendtostringinvokeExcludeAllowlistedIPswhereagostartswithcontainshasin~projectorder bydesc

Severity

High

Tactics

InitialAccessCredentialAccess

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub