ADFS Legacy Authentication Protocol - MFA Bypass via User Agent
14 ADFS Legacy Auth MFA Bypass
Query
let LegacyPatterns = dynamic([
"ActiveSync", "IMAP4", "IMAP", "POP3", "SMTP", "ExchangeWebServices",
"AutoDiscover", "EWS", "OutlookAnywhere", "MAPI",
"Microsoft Office", "MSExchangeFBA"
]);
ADFSSignInLogs
| where TimeGenerated > ago(1d)
| where UserAgent has_any (LegacyPatterns)
| where ResultType == 0
| summarize
SignInCount = count(),
IPs = make_set(IPAddress),
Countries = make_set(Location),
UserAgents = make_set(UserAgent, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName, AppDisplayName
| where SignInCount > 3
| order by SignInCount descExplanation
This query is designed to detect potential security risks associated with the use of legacy authentication protocols in Active Directory Federation Services (ADFS). Here's a simplified breakdown:
-
Purpose: The query identifies successful ADFS logins using older protocols like ActiveSync, IMAP, POP3, and others. These protocols don't support Multi-Factor Authentication (MFA), making them a security risk as they can bypass MFA and Conditional Access controls.
-
Detection Method: Since the ADFSSignInLogs don't directly indicate which client app was used, the query relies on patterns in the UserAgent string to identify legacy protocols.
-
Criteria: It looks for users with more than three successful logins using these legacy protocols within the last day. This indicates active use of these protocols, which should be blocked.
-
Severity: The alert is marked with a medium severity level, indicating a moderate risk.
-
Frequency: The query runs every four hours and checks logs from the past day.
-
Output: If the criteria are met, it generates an alert with details like the number of sign-ins, IP addresses used, countries of access, and the UserAgent strings. It also provides a summary of when these logins first and last occurred.
-
Alert Details: The alert includes the username and the application used, highlighting the risk of bypassing MFA.
-
Incident Management: If an alert is triggered, it creates an incident and groups related alerts by account to manage them effectively.
Overall, this query helps security teams monitor and mitigate risks associated with legacy authentication methods that could compromise account security.
Details

David Alonso
Released: March 24, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 4h
Period: 1d