ADFS Auth Followed by Privileged Azure AD Action
16 ADFS Auth Privileged Action
Query
let ADFSUsers =
ADFSSignInLogs
| where TimeGenerated > ago(2h)
| where ResultType == 0
| summarize LastADFSSignIn = max(TimeGenerated), ADFSIPs = make_set(IPAddress)
by UserPrincipalName;
AuditLogs
| where TimeGenerated > ago(2h)
| where Category in (
"RoleManagement", "ApplicationManagement", "GroupManagement",
"Policy", "DeviceManagement", "UserManagement"
)
| extend UPN = tostring(InitiatedBy.user.userPrincipalName)
| where isnotempty(UPN)
| join kind=inner ADFSUsers on $left.UPN == $right.UserPrincipalName
| where (TimeGenerated - LastADFSSignIn) between (0m .. 60m)
| project
AuditTime = TimeGenerated,
UserPrincipalName = UPN,
OperationName,
AuditResult = Result,
Category,
TargetResources,
LastADFSSignIn,
ADFSIPs,
TimeSinceADFSAuth = (TimeGenerated - LastADFSSignIn)
| order by AuditTime descExplanation
This query is designed to detect potential security threats involving the misuse of authentication tokens. Here's a simplified explanation:
-
Purpose: The query identifies when a user logs in through Active Directory Federation Services (ADFS) and then performs a privileged action in Azure Active Directory within 60 minutes. This pattern may indicate that a stolen ADFS-issued token is being used for unauthorized administrative actions.
-
Data Sources: It uses logs from two data sources:
- ADFSSignInLogs: To track user sign-ins via ADFS.
- AuditLogs: To monitor privileged actions in Azure AD, such as role management, application management, group management, policy changes, device management, and user management.
-
Process:
- It first identifies users who have successfully signed in via ADFS in the last 2 hours.
- Then, it checks if these users performed any privileged actions in Azure AD within 60 minutes of their ADFS sign-in.
- If such actions are detected, it suggests a potential security threat, possibly involving a stolen token.
-
Alerting:
- If the query finds any matches, it generates an alert with a high severity level.
- The alert includes details like the user's name, the operation performed, and the time since the ADFS authentication.
-
Security Context:
- The query is associated with tactics like Privilege Escalation, Persistence, and Defense Evasion, which are part of the MITRE ATT&CK framework.
- Relevant techniques include using valid accounts, account manipulation, and using alternate authentication material.
-
Incident Management:
- The query is configured to create incidents for detected threats, with options for grouping related alerts into a single incident for easier management.
Overall, this query helps security teams identify and respond to potential misuse of authentication tokens, which could indicate a sophisticated attack on their identity infrastructure.
Details

David Alonso
Released: March 24, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 2h