Query Details

AAD Sign In Events Beta Hunting Potential Seamless SSO Usage

Query

//Legacy query, please use https://github.com/jkerai1/KQL-Queries/blob/main/Defender/EntraIdSignInEvents%20-%20Hunting%20Potential%20Seamless%20SSO%20Usage.kql instead
//This query is for those who do not ingest AADNonInteractiveSignins and don't have MDI but have Advanced Hunting available
//You should disable Seamless SSO and favour SSO from the PRT instead i.e. Entra Join/Hybrid Join/Entra Register
//Ref 1: https://ourcloudnetwork.com/why-you-should-disable-seamless-sso-in-microsoft-entra-connect/
//Ref 2: https://nathanmcnulty.com/blog/2025/08/finding-seamless-sso-usage/#:\~:text=The%20resulting-,Graph%20PowerShell,-will%20look%20like
AADSignInEventsBeta
| where ApplicationId == ""
| where parse_json(LogonType)[0] == 'nonInteractiveUser'
| where EndpointCall == @"WindowsAuthenticationController:sso"
| summarize count() by AccountUpn,DeviceName,DeviceTrustType

Explanation

This query is designed to identify potential usage of Seamless Single Sign-On (SSO) in environments where certain logs are not available, but Advanced Hunting is. It focuses on analyzing sign-in events to detect non-interactive user logins that involve Windows Authentication Controller's SSO. The query filters for specific conditions and then summarizes the count of such events by user account, device name, and device trust type. The recommendation is to disable Seamless SSO and instead use SSO from the Primary Refresh Token (PRT) through Entra Join, Hybrid Join, or Entra Register.

Details

Jay Kerai profile picture

Jay Kerai

Released: February 17, 2026

Tables

AADSignInEventsBeta

Keywords

AADSignInEventsBetaAccountUpnDeviceNameDeviceTrustTypeApplicationIdLogonTypeEndpointCallWindowsAuthenticationController

Operators

AADSignInEventsBeta|where==parse_json[0]summarizecount()by

Actions

GitHub