Detect non-admin requesting token for admin applications
Detect User Request Token For Admin App
Query
N/AAbout this query
Explanation
This query is designed to detect suspicious sign-in attempts where non-administrative users try to access administrative applications in Entra ID, which is part of Microsoft's identity and access management service. Here's a simplified breakdown of what the query does:
-
Watchlist of IT Accounts: It starts by retrieving a list of known IT accounts from a watchlist called 'ITAccounts'.
-
Data Collection: It gathers sign-in logs from the past hour, focusing on applications related to administration, such as PowerShell, CLI, Command Line, and Management Shell.
-
Filter Sign-in Results: It filters these logs to include only successful sign-ins or those that failed due to no assignment (result types "0" and "50105").
-
Join with Identity Information: The query enriches this data by joining it with identity information to get more details about the users, such as their roles and departments.
-
Exclude Admin and IT Roles: It excludes users who have assigned roles, belong to IT-related departments, or have job titles indicating they are service accounts.
-
Exclude Known IT Accounts: It further filters out any accounts that match the known IT accounts from the watchlist.
-
Output: Finally, it outputs a distinct list of sign-in attempts, highlighting the time, user, application, IP address, job title, department, and result type for each attempt.
In essence, this query helps identify potentially unauthorized access attempts by non-admin users to admin-level applications, which could indicate a security risk or misuse of credentials.
Details

Robbe Van den Daele
Released: January 28, 2025
Tables
Keywords
Operators
MITRE Techniques