Azure AD Basic Auth

# AzureAD - Basic Authentication ## Query Information ### Description Use the below queries to identify basic authentication activities in Azure AD #### References - [Deprecation of Basic authentication in Exchange Online](https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online) ### Microsoft Sentinel Siginin logs ```kql SigninLogs | extend IsLegacyAuth = case(ClientAppUsed contains "Browser", "No", ClientAppUsed contains "Mobile Apps and Desktop clients", "No", ClientAppUsed contains "Exchange ActiveSync", "No", ClientAppUsed contains "Authenticated SMTP", "Yes", ClientAppUsed contains "Other clients", "Yes", "Unknown") | where IsLegacyAuth == 'Yes' | where ResultType == 0 ``` NonInteractive Signin logs ```kql AADNonInteractiveUserSignInLogs | extend IsLegacyAuth = case(ClientAppUsed contains "Browser", "No", ClientAppUsed contains "Mobile Apps and Desktop clients", "No", ClientAppUsed contains "Exchange ActiveSync", "No", ClientAppUsed contains "Authenticated SMTP", "Yes", ClientAppUsed contains "Other clients", "Yes", "Unknown") | where IsLegacyAuth == 'Yes' | where ResultType == 0 ``` Both Sigin and NonInteractive Sign in logs ```kql union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs | extend IsLegacyAuth = case(ClientAppUsed contains "Browser", "No", ClientAppUsed contains "Mobile Apps and Desktop clients", "No", ClientAppUsed contains "Exchange ActiveSync", "No", ClientAppUsed contains "Authenticated SMTP", "Yes", ClientAppUsed contains "Other clients", "Yes", "Unknown") | where IsLegacyAuth == 'Yes' | where ResultType == 0 ```

Explanation

The query is used to identify basic authentication activities in Azure AD. It checks the signin logs and non-interactive signin logs for activities where legacy authentication methods are used. Legacy authentication methods include browser, mobile apps and desktop clients, Exchange ActiveSync, authenticated SMTP, and other clients. The query filters the results to only include activities with a result type of 0, indicating a successful authentication. The query can be run separately for signin logs, non-interactive signin logs, or both combined.

Details

Alex Verboon

Released: September 23, 2023

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

AzureAD,BasicAuthentication,SigninLogs,AADNonInteractiveUserSignInLogs,IsLegacyAuth,ClientAppUsed,Browser,MobileAppsandDesktopclients,ExchangeActiveSync,AuthenticatedSMTP,Otherclients,Unknown,ResultType

Operators

extendcasecontainswhereunionisfuzzy

KQL Search

Query

Explanation

Details

Actions