Query Details
14 ADFS Legacy Auth MFA Bypass
Query
id: b4c5d6e7-f8a9-4b0c-1d2e-3f4a5b6c7d8e
name: ADFS Legacy Authentication Protocol - MFA Bypass via User Agent
version: 1.0.0
kind: Scheduled
description: |
Detects successful ADFS authentications using legacy protocols (ActiveSync, IMAP, POP3,
EWS, MAPI, SMTP, etc.) that cannot participate in MFA challenges. Since ADFSSignInLogs
does not include a ClientAppUsed column, detection is based on UserAgent string patterns.
Legacy protocol authentication through ADFS bypasses all MFA and Conditional Access controls
that require modern authentication. More than 3 successful legacy auth events per user
indicates active legacy protocol usage that should be blocked.
MITRE ATT&CK: T1078 (Valid Accounts), T1550 (Use Alternate Authentication Material)
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- ADFSSignInLogs
queryFrequency: 4h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- DefenseEvasion
relevantTechniques:
- T1078
- T1550
query: |
let LegacyPatterns = dynamic([
"ActiveSync", "IMAP4", "IMAP", "POP3", "SMTP", "ExchangeWebServices",
"AutoDiscover", "EWS", "OutlookAnywhere", "MAPI",
"Microsoft Office", "MSExchangeFBA"
]);
ADFSSignInLogs
| where TimeGenerated > ago(1d)
| where UserAgent has_any (LegacyPatterns)
| where ResultType == 0
| summarize
SignInCount = count(),
IPs = make_set(IPAddress),
Countries = make_set(Location),
UserAgents = make_set(UserAgent, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName, AppDisplayName
| where SignInCount > 3
| order by SignInCount desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
customDetails:
SignInCount: SignInCount
AppDisplayName: AppDisplayName
alertDetailsOverride:
alertDisplayNameFormat: "ADFS Legacy Auth Detected - {{UserPrincipalName}} via {{AppDisplayName}}"
alertDescriptionFormat: "User {{UserPrincipalName}} completed {{SignInCount}} ADFS sign-ins via legacy protocol app {{AppDisplayName}}. Legacy auth bypasses MFA and Conditional Access."
alertSeverityColumnName: ""
alertTacticsColumnName: ""
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT12H
matchingMethod: AnyAlert
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect potential security risks associated with the use of legacy authentication protocols in Active Directory Federation Services (ADFS). Here's a simplified breakdown:
-
Purpose: The query identifies successful ADFS logins using older protocols like ActiveSync, IMAP, POP3, and others. These protocols don't support Multi-Factor Authentication (MFA), making them a security risk as they can bypass MFA and Conditional Access controls.
-
Detection Method: Since the ADFSSignInLogs don't directly indicate which client app was used, the query relies on patterns in the UserAgent string to identify legacy protocols.
-
Criteria: It looks for users with more than three successful logins using these legacy protocols within the last day. This indicates active use of these protocols, which should be blocked.
-
Severity: The alert is marked with a medium severity level, indicating a moderate risk.
-
Frequency: The query runs every four hours and checks logs from the past day.
-
Output: If the criteria are met, it generates an alert with details like the number of sign-ins, IP addresses used, countries of access, and the UserAgent strings. It also provides a summary of when these logins first and last occurred.
-
Alert Details: The alert includes the username and the application used, highlighting the risk of bypassing MFA.
-
Incident Management: If an alert is triggered, it creates an incident and groups related alerts by account to manage them effectively.
Overall, this query helps security teams monitor and mitigate risks associated with legacy authentication methods that could compromise account security.
Details
David Alonso
Released: March 24, 2026
Tables
Keywords
Operators