Query Details

Non-Interactive Sign-Ins by Identity Protection Risky Users

15 NI Auth Risky Users

Query

let HighRiskUsers =
    AADRiskyUsers
    | where RiskState in ("atRisk", "confirmedCompromised")
    | where RiskLevel in ("high", "medium")
    | project UserPrincipalName, RiskLevel, RiskState, RiskDetail;
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| summarize
    SilentCount  = count(),
    Countries    = make_set(Location),
    IPs          = make_set(IPAddress),
    Apps         = make_set(AppDisplayName),
    LastActivity = max(TimeGenerated)
  by UserPrincipalName
| join kind=inner HighRiskUsers on UserPrincipalName
| where SilentCount >= 5
| extend IPAddress = tostring(IPs[0])
| project
    UserPrincipalName,
    RiskLevel,
    RiskState,
    RiskDetail,
    SilentCount,
    Countries,
    IPAddress,
    Apps,
    LastActivity
| order by SilentCount desc

Explanation

This query is designed to detect users who have been flagged as high or medium risk by Azure AD Identity Protection but are still able to authenticate silently through non-interactive token refreshes. This situation suggests that an attacker might have persistent access to the account, bypassing risk-based Conditional Access controls.

Here's a breakdown of the query:

  1. Purpose: The query identifies users who are considered at risk or compromised and are still performing non-interactive sign-ins, which could indicate unauthorized access.

  2. Data Sources: It uses data from Azure Active Directory, specifically the AADNonInteractiveUserSignInLogs and AADRiskyUsers.

  3. Frequency: The query runs every hour and looks at data from the past hour.

  4. Logic:

    • It first filters users who are marked as "atRisk" or "confirmedCompromised" with a risk level of "high" or "medium".
    • It then checks for non-interactive sign-ins (successful token refreshes) in the past hour.
    • It counts these sign-ins and gathers information about the locations, IP addresses, and applications involved.
    • It joins this data with the list of high-risk users.
    • It filters for users with at least 5 non-interactive sign-ins.
  5. Output: The query outputs details such as the user's principal name, risk level, risk state, number of silent sign-ins, countries, IP addresses, applications used, and the time of the last activity.

  6. Alerting: If the conditions are met, an alert is generated with a high severity level. The alert includes details about the user and their risk status, and it triggers the creation of an incident.

  7. MITRE ATT&CK Techniques: The query is associated with techniques like T1078 (Valid Accounts), T1528 (Steal Application Access Token), and T1550 (Use Alternate Authentication Material), indicating potential credential access, persistence, and defense evasion tactics.

Overall, this query helps security teams identify potentially compromised accounts that continue to be accessed silently, allowing them to take appropriate action to secure the accounts.

Details

David Alonso profile picture

David Alonso

Released: July 16, 2026

Tables

AADRiskyUsersAADNonInteractiveUserSignInLogs

Keywords

UsersDevicesAzureADIdentityProtectionRiskyAccountsIPAddressesApplications

Operators

letinprojectwheresummarizemake_setmaxbyjoinkindonextendtostringorder bydesc

Severity

High

Tactics

CredentialAccessPersistenceDefenseEvasion

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub