ADFS Auth by Entra ID Risky User
18 ADFS Risky User Active ADFS Auth
Query
let HighRiskUsers =
AADRiskyUsers
| where RiskState in ("atRisk", "confirmedCompromised")
| where RiskLevel in ("high", "medium")
| project UserPrincipalName, RiskLevel, RiskState, RiskDetail;
ADFSSignInLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| summarize
ADFSCount = count(),
Countries = make_set(Location),
IPs = make_set(IPAddress),
Apps = make_set(AppDisplayName),
LastActivity = max(TimeGenerated)
by UserPrincipalName
| join kind=inner HighRiskUsers on UserPrincipalName
| project
UserPrincipalName,
RiskLevel,
RiskState,
RiskDetail,
ADFSCount,
Countries,
IPs,
Apps,
LastActivity
| order by ADFSCount descExplanation
This query is designed to detect users who are considered high or medium risk by Entra ID Identity Protection and are authenticating through Active Directory Federation Services (ADFS). This is concerning because ADFS authentication can bypass cloud-based security measures that would typically block or challenge risky users. The query runs every hour and looks back over the past day to identify such users.
Here's a simple breakdown of what the query does:
-
Identify Risky Users: It first identifies users flagged as high or medium risk by Entra ID, focusing on those whose accounts are either at risk or confirmed compromised.
-
Check ADFS Sign-Ins: It then checks the ADFS sign-in logs for successful authentications (ResultType == 0) within the last day.
-
Match and Summarize: The query matches these sign-ins with the identified risky users and summarizes the data, including the number of ADFS sign-ins, locations, IP addresses, applications used, and the last activity time.
-
Alert Generation: If any matches are found, it generates an alert indicating that a risky user has authenticated via ADFS, bypassing cloud risk enforcement. The alert includes details like the user's risk level, the number of ADFS sign-ins, and other relevant information.
-
Incident Management: The query is configured to create incidents for these alerts, grouping them by user account to manage and track the security incidents effectively.
Overall, this query helps identify potential security gaps where risky users might bypass cloud-based security controls by using ADFS for authentication.
Details

David Alonso
Released: March 24, 2026
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques
Frequency: 1h
Period: 1d