Check For Entra Legacy TLS Login
Query
// Check for Entra Legacy TLS Login
SigninLogs
| where TimeGenerated > ago(90d)
| where ResultType == "0"
| mv-expand todynamic(AuthenticationProcessingDetails)
| where AuthenticationProcessingDetails.key has "Legacy TLS (TLS 1.0, 1.1, 3DES)"
| where AuthenticationProcessingDetails.value has "True"
| summarize LegacyLogin=count() by UserPrincipalName
| sort by LegacyLogin desc
// Retirement: Migrating to TLS 1.2+ with the Deprecation of Outdated Security Protocols
// https://azure.microsoft.com/en-us/updates/v2/migrating-to-tls-12-with-deprecation-of-outdated-security-protocolsExplanation
This query is designed to identify users who have logged in using outdated and less secure TLS protocols (TLS 1.0, TLS 1.1, or 3DES) within the last 90 days. Here's a simple breakdown of what the query does:
- Data Source: It looks at the
SigninLogs. - Time Frame: It filters the logs to include only those generated in the last 90 days.
- Successful Logins: It further filters to include only successful login attempts (
ResultType == "0"). - Expand Details: It expands the
AuthenticationProcessingDetailsto analyze the details of the authentication process. - Legacy TLS Detection: It checks if the authentication used legacy TLS protocols (TLS 1.0, TLS 1.1, or 3DES) and if this is marked as "True".
- Count Logins: It counts the number of such legacy logins for each user (
UserPrincipalName). - Sort Results: It sorts the results in descending order based on the count of legacy logins.
The output will be a list of users along with the number of times they logged in using these outdated security protocols, sorted by the highest number of such logins. This helps in identifying users who need to be migrated to more secure protocols (TLS 1.2 or higher) as part of the deprecation of outdated security protocols.
Details

Steven Lim
Released: September 8, 2024
Tables
SigninLogs
Keywords
SigninLogsUserAuthenticationSecurity
Operators
SigninLogs|where>agod==mv-expandtodynamichassummarizecountbysortdesc