Query Details

ADFS ROPC or Device Code Flow Authentication Detected

15 ADFS ROPC Device Code Flow

Query

ADFSSignInLogs
| where TimeGenerated > ago(4h)
| where AuthenticationProcessingDetails has_any ("ROPC", "ropc", "DeviceCode", "device_code", "deviceCode")
   or   UserAgent has_any ("ROPC", "device_code", "devicecode", "PublicClientApp")
| summarize
    Count     = count(),
    IPs       = make_set(IPAddress),
    Countries = make_set(Location),
    Apps      = make_set(AppDisplayName),
    Errors    = make_set(ResultType),
    Reqs      = make_set(AuthenticationRequirement),
    FirstSeen = min(TimeGenerated),
    LastSeen  = max(TimeGenerated)
  by UserPrincipalName
| order by Count desc

Explanation

This query is designed to detect suspicious authentication activities in Active Directory Federation Services (ADFS) that use either the Resource Owner Password Credentials (ROPC) or Device Code flow. These methods can bypass multi-factor authentication (MFA) and are often exploited in phishing attacks. Here's a simple breakdown:

  • Purpose: To identify ADFS authentication attempts using ROPC or Device Code, which can bypass MFA and are used in phishing.
  • Severity: High, due to the potential security risks.
  • Data Source: It uses logs from Azure Active Directory, specifically ADFSSignInLogs.
  • Frequency: The query runs every 30 minutes and looks at data from the past 4 hours.
  • Detection Logic: It searches for specific keywords related to ROPC and Device Code in authentication details and user agents.
  • Output: It summarizes the findings by user, showing the number of attempts, IP addresses, countries, applications, errors, and the time range of the activities.
  • Alerts: If any suspicious activity is detected, an alert is generated with details about the user and the number of events.
  • Incident Management: Incidents are created for detected activities, with the ability to group related alerts by user account.

Overall, this query helps security teams monitor and respond to potential unauthorized access attempts that exploit specific authentication flows in ADFS.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogs

Keywords

ADFSAuthenticationOAuthCredentialsPhishingMFAFederationAzureActiveDirectoryADFSSignInLogsTimeGeneratedUserAgentIPAddressLocationAppDisplayNameResultTypeAuthenticationRequirementUserPrincipalNameAccountFullName

Operators

agohas_anysummarizecountmake_setminmaxorder by

Severity

High

Tactics

InitialAccessCredentialAccess

MITRE Techniques

Frequency: 30m

Period: 4h

Actions

GitHub