Auth Token Issuer
Query
// AzureAD backup authentication system has been introduced in November 2021 to increase resilience of this core service. Sign-in logs offers insights about tokens which has been reissued by the backup service.
// More details about the backup system: https://learn.microsoft.com/en-us/azure/active-directory/architecture/backup-authentication-system?WT.mc_id=AZ-MVP-5003945
union SigninLogs, AADNonInteractiveUserSignInLogs
| where TimeGenerated >ago(30d)
| summarize count() by (TokenIssuerType), bin(TimeGenerated, 1d)
| render timechartExplanation
This query combines the SigninLogs and AADNonInteractiveUserSignInLogs tables to analyze token reissuance by the AzureAD backup authentication system. It filters the data to include only the last 30 days and groups the results by TokenIssuerType. The output is then visualized as a time chart.
Details

Thomas Naunheim
Released: September 28, 2023
Tables
SigninLogsAADNonInteractiveUserSignInLogs
Keywords
SigninLogsAADNonInteractiveUserSignInLogsTimeGeneratedTokenIssuerType
Operators
unionwheresummarizebybinrender