Query Details

Non-Interactive Sign-Ins by Identity Protection Risky Users

15 NI Auth Risky Users

Query

let HighRiskUsers =
    AADRiskyUsers
    | where RiskState in ("atRisk", "confirmedCompromised")
    | where RiskLevel in ("high", "medium")
    | project UserPrincipalName, RiskLevel, RiskState, RiskDetail;
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| summarize
    SilentCount  = count(),
    Countries    = make_set(Location),
    IPs          = make_set(IPAddress),
    Apps         = make_set(AppDisplayName),
    LastActivity = max(TimeGenerated)
  by UserPrincipalName
| join kind=inner HighRiskUsers on UserPrincipalName
| extend IPAddress = tostring(IPs[0])
| project
    UserPrincipalName,
    RiskLevel,
    RiskState,
    RiskDetail,
    SilentCount,
    Countries,
    IPAddress,
    Apps,
    LastActivity
| order by SilentCount desc

Explanation

This query is designed to detect users who are flagged as high or medium risk by Azure AD Identity Protection but continue to authenticate silently through non-interactive token refreshes. Here's a simplified breakdown:

  1. Purpose: The query identifies users who are considered at risk or compromised by Azure AD Identity Protection and are still able to authenticate without user interaction, suggesting that an attacker might have persistent access.

  2. Data Sources: It uses data from Azure Active Directory, specifically:

    • Non-interactive user sign-in logs.
    • Risky user information.
  3. Frequency: The query runs every hour and looks at data from the past hour.

  4. Detection Logic:

    • It first identifies users with a high or medium risk level who are marked as "at risk" or "confirmed compromised."
    • Then, it checks for non-interactive sign-ins by these users within the last hour.
    • It counts the number of these silent sign-ins and gathers information about the locations, IP addresses, and applications involved.
  5. Output: The query outputs a list of users with details such as their risk level, the number of silent sign-ins, and associated IP addresses and applications. The results are sorted by the number of silent sign-ins.

  6. Alerting: If any such activity is detected, an alert is generated with details about the user and their risk level. This alert indicates that the user is still performing non-interactive sign-ins despite being flagged as risky.

  7. Incident Management: The query is configured to create incidents for detected cases, with grouping enabled to manage related alerts efficiently.

Overall, this query helps security teams identify potential security breaches where attackers maintain access to compromised accounts through non-interactive authentication methods.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AADRiskyUsersAADNonInteractiveUserSignInLogs

Keywords

AzureActiveDirectoryAADNonInteractiveUserSignInLogsAADRiskyUsersUserPrincipalNameRiskLevelRiskStateRiskDetailTimeGeneratedResultTypeLocationIPAddressAppDisplayNameSilentCountCountriesIPsAppsLastActivityAccountFullNameAddress

Operators

letinprojectwhereagosummarizemake_setmaxbyjoinkindonextendtostringorder bydesc

Severity

High

Tactics

CredentialAccessPersistenceDefenseEvasion

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub