15 NI Auth Risky Users

id: c0d6e8f9-a4b5-7c1d-2e3f-4a5b6c7d8e9f name: Non-Interactive Sign-Ins by Identity Protection Risky Users version: 1.0.0 kind: Scheduled description: | Detects users flagged as High or Medium risk by Azure AD Identity Protection who continue to silently authenticate via non-interactive token refreshes. When Identity Protection flags a user as at-risk or compromised but silent token activity continues, it means the attacker retained persistent access that bypasses the risk-based Conditional Access controls. MITRE ATT&CK: T1078 (Valid Accounts), T1528 (Steal Application Access Token) severity: High requiredDataConnectors: - connectorId: AzureActiveDirectory dataTypes: - AADNonInteractiveUserSignInLogs - AADRiskyUsers queryFrequency: 1h queryPeriod: 1h triggerOperator: gt triggerThreshold: 0 tactics: - CredentialAccess - Persistence - DefenseEvasion relevantTechniques: - T1078 - T1528 - T1550 query: | let HighRiskUsers = AADRiskyUsers | where RiskState in ("atRisk", "confirmedCompromised") | where RiskLevel in ("high", "medium") | project UserPrincipalName, RiskLevel, RiskState, RiskDetail; AADNonInteractiveUserSignInLogs | where TimeGenerated > ago(1h) | where ResultType == 0 | summarize SilentCount = count(), Countries = make_set(Location), IPs = make_set(IPAddress), Apps = make_set(AppDisplayName), LastActivity = max(TimeGenerated) by UserPrincipalName | join kind=inner HighRiskUsers on UserPrincipalName | extend IPAddress = tostring(IPs[0]) | project UserPrincipalName, RiskLevel, RiskState, RiskDetail, SilentCount, Countries, IPAddress, Apps, LastActivity | order by SilentCount desc entityMappings: - entityType: Account fieldMappings: - identifier: FullName columnName: UserPrincipalName - entityType: IP fieldMappings: - identifier: Address columnName: IPAddress customDetails: RiskLevel: RiskLevel RiskState: RiskState RiskDetail: RiskDetail SilentSignInCount: SilentCount alertDetailsOverride: alertDisplayNameFormat: "Risky User Silent Auth - {{UserPrincipalName}} ({{RiskLevel}} risk) has active non-interactive tokens" alertDescriptionFormat: "User {{UserPrincipalName}} is flagged as {{RiskLevel}} risk but performed {{SilentCount}} non-interactive sign-ins. Identity Protection risk state has not blocked silent token use." incidentConfiguration: createIncident: true groupingConfiguration: enabled: true reopenClosedIncident: false lookbackDuration: PT5H matchingMethod: AnyAlert groupByEntities: - Account groupByAlertDetails: [] groupByCustomDetails: []

Explanation

This query is designed to detect users who are flagged as high or medium risk by Azure AD Identity Protection but continue to authenticate silently through non-interactive token refreshes. Here's a simplified breakdown:

Purpose: The query identifies users who are considered at risk or compromised by Azure AD Identity Protection and are still able to authenticate without user interaction, suggesting that an attacker might have persistent access.
Data Sources: It uses data from Azure Active Directory, specifically:
- Non-interactive user sign-in logs.
- Risky user information.
Frequency: The query runs every hour and looks at data from the past hour.
Detection Logic:
- It first identifies users with a high or medium risk level who are marked as "at risk" or "confirmed compromised."
- Then, it checks for non-interactive sign-ins by these users within the last hour.
- It counts the number of these silent sign-ins and gathers information about the locations, IP addresses, and applications involved.
Output: The query outputs a list of users with details such as their risk level, the number of silent sign-ins, and associated IP addresses and applications. The results are sorted by the number of silent sign-ins.
Alerting: If any such activity is detected, an alert is generated with details about the user and their risk level. This alert indicates that the user is still performing non-interactive sign-ins despite being flagged as risky.
Incident Management: The query is configured to create incidents for detected cases, with grouping enabled to manage related alerts efficiently.

Overall, this query helps security teams identify potential security breaches where attackers maintain access to compromised accounts through non-interactive authentication methods.

Details

David Alonso

Released: May 29, 2026

Tables

AADRiskyUsersAADNonInteractiveUserSignInLogs

Keywords

AzureActiveDirectoryAADNonInteractiveUserSignInLogsAADRiskyUsersUserPrincipalNameRiskLevelRiskStateRiskDetailTimeGeneratedResultTypeLocationIPAddressAppDisplayNameSilentCountCountriesIPsAppsLastActivityAccountFullNameAddress

Operators

letinprojectwhereagosummarizemake_setmaxbyjoinkindonextendtostringorder bydesc

KQL Search