Query Details

ADFS Legacy Authentication Protocol - MFA Bypass via User Agent

14 ADFS Legacy Auth MFA Bypass

Query

let LegacyPatterns = dynamic([
    "ActiveSync", "IMAP4", "IMAP", "POP3", "SMTP", "ExchangeWebServices",
    "AutoDiscover", "EWS", "OutlookAnywhere", "MAPI",
    "Microsoft Office", "MSExchangeFBA"
]);
ADFSSignInLogs
| where TimeGenerated > ago(1d)
| where UserAgent has_any (LegacyPatterns)
| where ResultType == 0
| summarize
    SignInCount = count(),
    IPs         = make_set(IPAddress),
    Countries   = make_set(Location),
    UserAgents  = make_set(UserAgent, 5),
    FirstSeen   = min(TimeGenerated),
    LastSeen    = max(TimeGenerated)
  by UserPrincipalName, AppDisplayName
| where SignInCount > 3
| order by SignInCount desc

Explanation

This query is designed to detect potential security risks associated with the use of legacy authentication protocols in Active Directory Federation Services (ADFS). Here's a simplified breakdown:

  • Purpose: The query identifies successful ADFS logins using older protocols like ActiveSync, IMAP, POP3, and others. These protocols don't support Multi-Factor Authentication (MFA), making them a security risk as they can bypass MFA and Conditional Access controls.

  • Detection Method: Since the ADFSSignInLogs don't directly indicate which client app was used, the query relies on patterns in the UserAgent string to identify legacy protocols.

  • Criteria: It looks for users with more than three successful logins using these legacy protocols within the last day. This indicates active use of these protocols, which should be blocked.

  • Severity: The alert is marked with a medium severity level, indicating a moderate risk.

  • Frequency: The query runs every four hours and checks logs from the past day.

  • Output: If the criteria are met, it generates an alert with details like the number of sign-ins, IP addresses used, countries of access, and the UserAgent strings. It also provides a summary of when these logins first and last occurred.

  • Alert Details: The alert includes the username and the application used, highlighting the risk of bypassing MFA.

  • Incident Management: If an alert is triggered, it creates an incident and groups related alerts by account to manage them effectively.

Overall, this query helps security teams monitor and mitigate risks associated with legacy authentication methods that could compromise account security.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogs

Keywords

ADFSADFSSignInLogsUserAgentUserPrincipalNameAppDisplayNameIPAddressLocationTimeGeneratedAzureActiveDirectoryAccountFullName

Operators

letdynamicagohas_anysummarizecountmake_setminmaxbyorder by

Severity

Medium

Tactics

InitialAccessDefenseEvasion

MITRE Techniques

Frequency: 4h

Period: 1d

Actions

GitHub