AzureAD - Basic Authentication
Azure AD Basic Auth
Query
SigninLogs
| extend IsLegacyAuth =
case(ClientAppUsed contains "Browser", "No",
ClientAppUsed contains "Mobile Apps and Desktop clients", "No",
ClientAppUsed contains "Exchange ActiveSync", "No",
ClientAppUsed contains "Authenticated SMTP", "Yes",
ClientAppUsed contains "Other clients", "Yes", "Unknown")
| where IsLegacyAuth == 'Yes'
| where ResultType == 0About this query
Explanation
The query is used to identify basic authentication activities in Azure AD. It checks the signin logs and non-interactive signin logs for activities where legacy authentication methods are used. Legacy authentication methods include browser, mobile apps and desktop clients, Exchange ActiveSync, authenticated SMTP, and other clients. The query filters the results to only include activities with a result type of 0, indicating a successful authentication. The query can be run separately for signin logs, non-interactive signin logs, or both combined.
Details

Alex Verboon
Released: September 23, 2023
Tables
SigninLogsAADNonInteractiveUserSignInLogs
Keywords
AzureADBasic AuthenticationSigninLogsAADNonInteractiveUserSignInLogsIsLegacyAuthClientAppUsedBrowserMobile Apps and Desktop clientsExchange ActiveSyncAuthenticated SMTPOther clientsUnknownResultType
Operators
extendcasecontainswhereunionisfuzzy