Query Details

ADFS Auth by Entra ID Risky User

18 ADFS Risky User Active ADFS Auth

Query

let HighRiskUsers =
    AADRiskyUsers
    | where RiskState in ("atRisk", "confirmedCompromised")
    | where RiskLevel in ("high", "medium")
    | project UserPrincipalName, RiskLevel, RiskState, RiskDetail;
ADFSSignInLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| summarize
    ADFSCount      = count(),
    Countries      = make_set(Location),
    IPs            = make_set(IPAddress),
    Apps           = make_set(AppDisplayName),
    LastActivity   = max(TimeGenerated)
  by UserPrincipalName
| join kind=inner HighRiskUsers on UserPrincipalName
| project
    UserPrincipalName,
    RiskLevel,
    RiskState,
    RiskDetail,
    ADFSCount,
    Countries,
    IPs,
    Apps,
    LastActivity
| order by ADFSCount desc

Explanation

This query is designed to detect users who are considered high or medium risk by Entra ID Identity Protection and are authenticating through Active Directory Federation Services (ADFS). This is concerning because ADFS authentication can bypass cloud-based security measures that would typically block or challenge risky users. The query runs every hour and looks back over the past day to identify such users.

Here's a simple breakdown of what the query does:

  1. Identify Risky Users: It first identifies users flagged as high or medium risk by Entra ID, focusing on those whose accounts are either at risk or confirmed compromised.

  2. Check ADFS Sign-Ins: It then checks the ADFS sign-in logs for successful authentications (ResultType == 0) within the last day.

  3. Match and Summarize: The query matches these sign-ins with the identified risky users and summarizes the data, including the number of ADFS sign-ins, locations, IP addresses, applications used, and the last activity time.

  4. Alert Generation: If any matches are found, it generates an alert indicating that a risky user has authenticated via ADFS, bypassing cloud risk enforcement. The alert includes details like the user's risk level, the number of ADFS sign-ins, and other relevant information.

  5. Incident Management: The query is configured to create incidents for these alerts, grouping them by user account to manage and track the security incidents effectively.

Overall, this query helps identify potential security gaps where risky users might bypass cloud-based security controls by using ADFS for authentication.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

ADFSSignInLogsAADRiskyUsers

Keywords

ADFSAADRiskyUsersUserPrincipalNameRiskLevelRiskStateRiskDetailADFSSignInLogsTimeGeneratedResultTypeLocationIPAddressAppDisplayNameAccountFullNameIdentityProtectionConditionalAccess

Operators

letinprojectwhereago==summarizecountmake_setmaxbyjoinkindonorder bydesc

Severity

High

Tactics

InitialAccessCredentialAccess

MITRE Techniques

Frequency: 1h

Period: 1d

Actions

GitHub