Entra ID Domain Federation Settings Modified
AR 005 Federation Domain Config Changed
Query
AuditLogs
| where TimeGenerated > ago(1d)
| where ActivityDisplayName in (
"Set domain authentication",
"Set federation settings on domain",
"Set federation settings",
"Set DirSyncEnabled flag",
"Update domain")
| where Result == "success"
| extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend Actor = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
| extend TargetDomain = tostring(TargetResources[0].displayName)
| extend TargetId = tostring(TargetResources[0].id)
| mv-expand Prop = TargetResources[0].modifiedProperties
| extend PropName = tostring(Prop.displayName)
| extend OldValue = tostring(Prop.oldValue)
| extend NewValue = tostring(Prop.newValue)
| project
TimeGenerated,
Actor,
InitiatedByUPN,
ActivityDisplayName,
TargetDomain,
TargetId,
PropName,
OldValue,
NewValue,
LoggedByService,
CorrelationIdExplanation
This query is designed to detect any changes made to the authentication settings of a domain in Azure Active Directory (AAD), which could indicate a potential security threat. Here's a simplified breakdown:
-
Purpose: The query identifies modifications to a domain's authentication configuration, such as switching from Managed to Federated authentication. This is significant because such changes can be part of a "Golden SAML" attack, where an attacker can forge authentication tokens to impersonate any user without needing their password, effectively bypassing multi-factor authentication (MFA).
-
Severity: Any detected change is considered critical until verified by the identity team, as legitimate changes to domain federation settings are rare.
-
Data Source: The query uses data from Azure Active Directory's AuditLogs.
-
Frequency and Period: It runs every 15 minutes and looks back over the past day (1 day).
-
Detection Logic:
- It checks for successful activities related to domain authentication settings, such as setting domain authentication, updating federation settings, or enabling directory synchronization.
- It extracts details about who initiated the change (either a user or an application) and the specific domain affected.
- It captures what properties were modified, including their old and new values.
-
Alerting: If any such changes are detected, an alert is generated with a critical status. The alert message specifies the domain affected, the actor who made the change, and details of the modification.
-
Entity Mapping: The query maps the user who initiated the change to an account entity and the domain to a DNS entity.
-
Custom Details: It provides additional information about the modified property and the old and new authentication types.
-
Suppression: Alerts are not suppressed by default, but there is an option to suppress them for 1 hour if needed.
-
Version and Type: This is version 1.0.0 of a scheduled query.
Overall, this query is a security measure to monitor and alert on potentially unauthorized changes to domain federation settings, which could indicate a serious security breach.
Details

David Alonso
Released: April 6, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 15m
Period: 1d