Check For Entra Legacy TLS Login

// Check for Entra Legacy TLS Login SigninLogs | where TimeGenerated > ago(90d) | where ResultType == "0" | mv-expand todynamic(AuthenticationProcessingDetails) | where AuthenticationProcessingDetails.key has "Legacy TLS (TLS 1.0, 1.1, 3DES)" | where AuthenticationProcessingDetails.value has "True" | summarize LegacyLogin=count() by UserPrincipalName | sort by LegacyLogin desc // Retirement: Migrating to TLS 1.2+ with the Deprecation of Outdated Security Protocols // https://azure.microsoft.com/en-us/updates/v2/migrating-to-tls-12-with-deprecation-of-outdated-security-protocols

Explanation

This query is designed to identify users who have logged in using outdated and less secure TLS protocols (TLS 1.0, TLS 1.1, or 3DES) within the last 90 days. Here's a simple breakdown of what the query does:

Data Source: It looks at the SigninLogs.
Time Frame: It filters the logs to include only those generated in the last 90 days.
Successful Logins: It further filters to include only successful login attempts (ResultType == "0").
Expand Details: It expands the AuthenticationProcessingDetails to analyze the details of the authentication process.
Legacy TLS Detection: It checks if the authentication used legacy TLS protocols (TLS 1.0, TLS 1.1, or 3DES) and if this is marked as "True".
Count Logins: It counts the number of such legacy logins for each user (UserPrincipalName).
Sort Results: It sorts the results in descending order based on the count of legacy logins.

The output will be a list of users along with the number of times they logged in using these outdated security protocols, sorted by the highest number of such logins. This helps in identifying users who need to be migrated to more secure protocols (TLS 1.2 or higher) as part of the deprecation of outdated security protocols.

KQL Search

Check For Entra Legacy TLS Login

Query

Explanation

Details

Actions