AAD Sign In Events Beta Hunting Potential Seamless SSO Usage
Query
//Legacy query, please use https://github.com/jkerai1/KQL-Queries/blob/main/Defender/EntraIdSignInEvents%20-%20Hunting%20Potential%20Seamless%20SSO%20Usage.kql instead
//This query is for those who do not ingest AADNonInteractiveSignins and don't have MDI but have Advanced Hunting available
//You should disable Seamless SSO and favour SSO from the PRT instead i.e. Entra Join/Hybrid Join/Entra Register
//Ref 1: https://ourcloudnetwork.com/why-you-should-disable-seamless-sso-in-microsoft-entra-connect/
//Ref 2: https://nathanmcnulty.com/blog/2025/08/finding-seamless-sso-usage/#:\~:text=The%20resulting-,Graph%20PowerShell,-will%20look%20like
AADSignInEventsBeta
| where ApplicationId == ""
| where parse_json(LogonType)[0] == 'nonInteractiveUser'
| where EndpointCall == @"WindowsAuthenticationController:sso"
| summarize count() by AccountUpn,DeviceName,DeviceTrustTypeExplanation
This query is designed to identify potential usage of Seamless Single Sign-On (SSO) in environments where certain logs are not available, but Advanced Hunting is. It focuses on analyzing sign-in events to detect non-interactive user logins that involve Windows Authentication Controller's SSO. The query filters for specific conditions and then summarizes the count of such events by user account, device name, and device trust type. The recommendation is to disable Seamless SSO and instead use SSO from the Primary Refresh Token (PRT) through Entra Join, Hybrid Join, or Entra Register.
Details

Jay Kerai
Released: February 17, 2026
Tables
AADSignInEventsBeta
Keywords
AADSignInEventsBetaAccountUpnDeviceNameDeviceTrustTypeApplicationIdLogonTypeEndpointCallWindowsAuthenticationController
Operators
AADSignInEventsBeta|where==parse_json[0]summarizecount()by