ADFS ROPC or Device Code Flow Authentication Detected
15 ADFS ROPC Device Code Flow
Query
ADFSSignInLogs
| where TimeGenerated > ago(4h)
| where AuthenticationProcessingDetails has_any ("ROPC", "ropc", "DeviceCode", "device_code", "deviceCode")
or UserAgent has_any ("ROPC", "device_code", "devicecode", "PublicClientApp")
| summarize
Count = count(),
IPs = make_set(IPAddress),
Countries = make_set(Location),
Apps = make_set(AppDisplayName),
Errors = make_set(ResultType),
Reqs = make_set(AuthenticationRequirement),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| order by Count descExplanation
This query is designed to detect suspicious authentication activities in Active Directory Federation Services (ADFS) that use either the Resource Owner Password Credentials (ROPC) or Device Code flow. These methods can bypass multi-factor authentication (MFA) and are often exploited in phishing attacks. Here's a simple breakdown:
- Purpose: To identify ADFS authentication attempts using ROPC or Device Code, which can bypass MFA and are used in phishing.
- Severity: High, due to the potential security risks.
- Data Source: It uses logs from Azure Active Directory, specifically ADFSSignInLogs.
- Frequency: The query runs every 30 minutes and looks at data from the past 4 hours.
- Detection Logic: It searches for specific keywords related to ROPC and Device Code in authentication details and user agents.
- Output: It summarizes the findings by user, showing the number of attempts, IP addresses, countries, applications, errors, and the time range of the activities.
- Alerts: If any suspicious activity is detected, an alert is generated with details about the user and the number of events.
- Incident Management: Incidents are created for detected activities, with the ability to group related alerts by user account.
Overall, this query helps security teams monitor and respond to potential unauthorized access attempts that exploit specific authentication flows in ADFS.
Details

David Alonso
Released: March 24, 2026
Tables
ADFSSignInLogs
Keywords
ADFSAuthenticationOAuthCredentialsPhishingMFAFederationAzureActiveDirectoryADFSSignInLogsTimeGeneratedUserAgentIPAddressLocationAppDisplayNameResultTypeAuthenticationRequirementUserPrincipalNameAccountFullName
Operators
agohas_anysummarizecountmake_setminmaxorder by
Severity
HighTactics
InitialAccessCredentialAccess
Frequency: 30m
Period: 4h