KQL Search

Query Details

HomeAI ToolsDevice Query

AAD Sign In Events Beta Hunting Potential Seamless SSO Usage

Query

//This query is for those who do not ingest AADNonInteractiveSignins and don't have MDI but have Advanced Hunting available
//You should disable Seamless SSO and favour SSO from the PRT instead i.e. Entra Join/Hybrid Join/Entra Register
//Ref 1: https://ourcloudnetwork.com/why-you-should-disable-seamless-sso-in-microsoft-entra-connect/
//Ref 2: https://nathanmcnulty.com/blog/2025/08/finding-seamless-sso-usage/#:\~:text=The%20resulting-,Graph%20PowerShell,-will%20look%20like
AADSignInEventsBeta
| where ApplicationId == ""
| where parse_json(LogonType)[0] == 'nonInteractiveUser'
| where EndpointCall == @"WindowsAuthenticationController:sso"
| summarize count() by AccountUpn,DeviceName,DeviceTrustType

Explanation

This query is designed for environments that do not use AADNonInteractiveSignins and do not have Microsoft Defender for Identity (MDI), but have access to Advanced Hunting. It aims to identify instances where Seamless Single Sign-On (SSO) is being used, which the author suggests should be disabled in favor of using Primary Refresh Token (PRT)-based SSO methods like Entra Join, Hybrid Join, or Entra Register.

Here's a breakdown of what the query does:

  1. Data Source: It uses the AADSignInEventsBeta table, which contains Azure Active Directory sign-in events.

  2. Filter Conditions:

    • It filters out events where the ApplicationId is empty, indicating that the sign-in event is not associated with a specific application.
    • It checks if the LogonType is 'nonInteractiveUser', meaning the sign-in did not involve direct user interaction.
    • It looks for events where the EndpointCall is "WindowsAuthenticationController:sso", indicating that Seamless SSO was used.

  3. Summarization:

    • The query summarizes the data by counting the number of such sign-in events for each combination of AccountUpn (user's email), DeviceName (name of the device), and DeviceTrustType (type of device trust).

In simple terms, this query helps identify users and devices that are using Seamless SSO, which the author recommends replacing with a more secure SSO method based on PRT.

Details

Jay Kerai profile picture

Jay Kerai

Released: August 30, 2025

Tables

AADSignInEventsBeta

Keywords

AADSignInEventsBetaAccountUpnDeviceNameDeviceTrustTypeWindowsAuthenticationController

Operators

|where==parse_jsonsummarizeby

Actions