Query Details

Entra ID Domain Federation Settings Modified

AR 005 Federation Domain Config Changed

Query

AuditLogs
| where TimeGenerated > ago(1d)
| where ActivityDisplayName in (
    "Set domain authentication",
    "Set federation settings on domain",
    "Set federation settings",
    "Set DirSyncEnabled flag",
    "Update domain")
| where Result == "success"
| extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend Actor          = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
| extend TargetDomain   = tostring(TargetResources[0].displayName)
| extend TargetId       = tostring(TargetResources[0].id)
| mv-expand Prop = TargetResources[0].modifiedProperties
| extend PropName = tostring(Prop.displayName)
| extend OldValue = tostring(Prop.oldValue)
| extend NewValue = tostring(Prop.newValue)
| project
    TimeGenerated,
    Actor,
    InitiatedByUPN,
    ActivityDisplayName,
    TargetDomain,
    TargetId,
    PropName,
    OldValue,
    NewValue,
    LoggedByService,
    CorrelationId

Explanation

This query is designed to detect any changes made to the authentication settings of a domain in Azure Active Directory (AAD), which could indicate a potential security threat. Here's a simplified breakdown:

  1. Purpose: The query identifies modifications to a domain's authentication configuration, such as switching from Managed to Federated authentication. This is significant because such changes can be part of a "Golden SAML" attack, where an attacker can forge authentication tokens to impersonate any user without needing their password, effectively bypassing multi-factor authentication (MFA).

  2. Severity: Any detected change is considered critical until verified by the identity team, as legitimate changes to domain federation settings are rare.

  3. Data Source: The query uses data from Azure Active Directory's AuditLogs.

  4. Frequency and Period: It runs every 15 minutes and looks back over the past day (1 day).

  5. Detection Logic:

    • It checks for successful activities related to domain authentication settings, such as setting domain authentication, updating federation settings, or enabling directory synchronization.
    • It extracts details about who initiated the change (either a user or an application) and the specific domain affected.
    • It captures what properties were modified, including their old and new values.
  6. Alerting: If any such changes are detected, an alert is generated with a critical status. The alert message specifies the domain affected, the actor who made the change, and details of the modification.

  7. Entity Mapping: The query maps the user who initiated the change to an account entity and the domain to a DNS entity.

  8. Custom Details: It provides additional information about the modified property and the old and new authentication types.

  9. Suppression: Alerts are not suppressed by default, but there is an option to suppress them for 1 hour if needed.

  10. Version and Type: This is version 1.0.0 of a scheduled query.

Overall, this query is a security measure to monitor and alert on potentially unauthorized changes to domain federation settings, which could indicate a serious security breach.

Details

David Alonso profile picture

David Alonso

Released: April 6, 2026

Tables

AuditLogs

Keywords

AuditLogsDomainAuthenticationFederationIdentityUserAccountDNSActorService

Operators

AuditLogswhereinextendtostringiffisnotemptymv-expandproject

Severity

High

Tactics

PersistenceDefenseEvasion

MITRE Techniques

Frequency: 15m

Period: 1d

Actions

GitHub