Query Details
15 ADFS ROPC Device Code Flow
Query
id: c5d6e7f8-a9b0-4c1d-2e3f-4a5b6c7d8e9f
name: ADFS ROPC or Device Code Flow Authentication Detected
version: 1.0.0
kind: Scheduled
description: |
Detects ADFS authentication flows using Resource Owner Password Credentials (ROPC) or
Device Code flow. ROPC passes credentials directly in OAuth requests, bypassing interactive
authentication and Conditional Access claims checks. Device Code flow is actively abused in
phishing campaigns where victims are tricked into entering codes on legitimate-looking pages.
Both flows can bypass ADFS-layer MFA requirements depending on federation configuration.
MITRE ATT&CK: T1078 (Valid Accounts), T1566 (Phishing)
severity: High
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- ADFSSignInLogs
queryFrequency: 30m
queryPeriod: 4h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- CredentialAccess
relevantTechniques:
- T1078
- T1566
query: |
ADFSSignInLogs
| where TimeGenerated > ago(4h)
| where AuthenticationProcessingDetails has_any ("ROPC", "ropc", "DeviceCode", "device_code", "deviceCode")
or UserAgent has_any ("ROPC", "device_code", "devicecode", "PublicClientApp")
| summarize
Count = count(),
IPs = make_set(IPAddress),
Countries = make_set(Location),
Apps = make_set(AppDisplayName),
Errors = make_set(ResultType),
Reqs = make_set(AuthenticationRequirement),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| order by Count desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
customDetails:
SignInCount: Count
Countries: Countries
alertDetailsOverride:
alertDisplayNameFormat: "ADFS ROPC/DeviceCode Flow - {{UserPrincipalName}} - {{Count}} events"
alertDescriptionFormat: "User {{UserPrincipalName}} was detected using ROPC or Device Code auth flow via ADFS ({{Count}} events). These flows bypass MFA and are abused in phishing attacks."
alertSeverityColumnName: ""
alertTacticsColumnName: ""
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT5H
matchingMethod: AnyAlert
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect suspicious authentication activities in Active Directory Federation Services (ADFS) that use either the Resource Owner Password Credentials (ROPC) or Device Code flow. These methods can bypass multi-factor authentication (MFA) and are often exploited in phishing attacks. Here's a simple breakdown:
- Purpose: To identify ADFS authentication attempts using ROPC or Device Code, which can bypass MFA and are used in phishing.
- Severity: High, due to the potential security risks.
- Data Source: It uses logs from Azure Active Directory, specifically ADFSSignInLogs.
- Frequency: The query runs every 30 minutes and looks at data from the past 4 hours.
- Detection Logic: It searches for specific keywords related to ROPC and Device Code in authentication details and user agents.
- Output: It summarizes the findings by user, showing the number of attempts, IP addresses, countries, applications, errors, and the time range of the activities.
- Alerts: If any suspicious activity is detected, an alert is generated with details about the user and the number of events.
- Incident Management: Incidents are created for detected activities, with the ability to group related alerts by user account.
Overall, this query helps security teams monitor and respond to potential unauthorized access attempts that exploit specific authentication flows in ADFS.
Details
David Alonso
Released: March 24, 2026
Tables
ADFSSignInLogs
Keywords
ADFSAuthenticationOAuthCredentialsPhishingMFAFederationAzureActiveDirectoryADFSSignInLogsTimeGeneratedUserAgentIPAddressLocationAppDisplayNameResultTypeAuthenticationRequirementUserPrincipalNameAccountFullName
Operators
agohas_anysummarizecountmake_setminmaxorder by