Legacy Authentication Bypassing MFA and Conditional Access
18 Legacy Auth MFA Bypass
Query
let LegacyProtocols = dynamic([
"Exchange ActiveSync", "IMAP4", "MAPI Over HTTP",
"POP3", "SMTP", "Authenticated SMTP", "AutoDiscover",
"Exchange Online PowerShell", "Exchange Web Services",
"Other clients", "Other clients; IMAP", "Other clients; POP"
]);
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ClientAppUsed in (LegacyProtocols)
| where ResultType == 0
| summarize
SignInCount = count(),
IPs = make_set(IPAddress),
Countries = make_set(Location),
Protocols = make_set(ClientAppUsed),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName, AppDisplayName
| where SignInCount > 8
| extend IPAddress = tostring(IPs[0])
| order by SignInCount descExplanation
This query is designed to detect instances where users successfully sign in using older authentication methods that do not support Multi-Factor Authentication (MFA) or Conditional Access policies. These older methods, like Exchange ActiveSync, IMAP, POP3, and others, can be exploited by attackers to bypass security measures.
Here's a simple breakdown of what the query does:
-
Purpose: It identifies successful sign-ins using legacy authentication protocols that bypass MFA and Conditional Access, which are crucial for security.
-
Data Source: The query uses logs from Azure Active Directory, specifically focusing on non-interactive user sign-in logs.
-
Time Frame: It looks at sign-ins that occurred in the past hour.
-
Criteria: It filters for sign-ins using specified legacy protocols and only considers successful attempts (where
ResultTypeis 0). -
Aggregation: The query counts the number of sign-ins, collects unique IP addresses, countries, and protocols used, and notes the first and last time these sign-ins were seen for each user and application.
-
Threshold: It flags cases where there are more than 8 sign-ins in the past hour.
-
Output: The results are sorted by the number of sign-ins, and the first IP address is extracted for each user.
-
Alerting: If the conditions are met, an alert is generated with details about the user, the number of sign-ins, and the protocols used. This alert can trigger the creation of an incident for further investigation.
-
Incident Management: The system can group related alerts into a single incident based on the user account, helping streamline the response process.
Overall, this query helps security teams identify and respond to potential security breaches where attackers might be exploiting older, less secure authentication methods to gain unauthorized access.
Details

David Alonso
Released: July 16, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 1h
Period: 1h