Enriched Entra Sign In Logs Token Protection Network Access
Query
// Correlation of sign-in with details about Token Protection status and Global Secure Access
// Hunting query to correlate UniqueTokenIdentifier for identify Network Access Traffic event (in Global Secure Access) of Token Endpoint request
// and showing details of token binding
union SigninLogs, AADNonInteractiveUserSignInLogs
// Optional: Filter for specific time window, user and only successful sign-ins
// | where UserPrincipalName == "<UserPrincipalName>"
// and CreatedDateTime between ( todatetime('<StartTime>') .. todatetime('<EndTime>') )
// and ResultType == "0"
// Filter for sign-ins to home tenant only
| where HomeTenantId == ResourceTenantId
// Expand device details
| extend DeviceDetail = iff(isempty( DeviceDetail_dynamic ), todynamic(DeviceDetail_string), DeviceDetail_dynamic)
| extend DeviceId = tostring(tolower(DeviceDetail.deviceId))
| extend DeviceName = tostring(toupper(DeviceDetail.displayName))
// Expand Token Protection Status details
| extend TokenProtectionStatus = iff(isempty( TokenProtectionStatusDetails_dynamic ), todynamic(TokenProtectionStatusDetails_string), TokenProtectionStatusDetails_dynamic)
| extend SignInSessionStatus = tostring(TokenProtectionStatus.signInSessionStatus)
// Correlate token acquisition with NetworkAccessTraffic logs from GSA
| join kind = leftouter (
NetworkAccessTraffic
| project TimeGenerated, TransactionId, ConnectionId, IPAddress = SourceIp, AgentVersion, UserId, DeviceId, UniqueTokenIdentifier = UniqueTokenId, InitiatingProcessName
) on UserId, DeviceId, UniqueTokenIdentifier, IPAddress
// Summarize Results
| project CreatedDateTime, SessionId, IncomingTokenType, SignInSessionStatus, UniqueTokenIdentifier, AppDisplayName, ResourceDisplayName, ClientAppUsed, IsThroughGlobalSecureAccess, InitiatingProcessName, IPAddress, GlobalSecureAccessIpAddress, Location, AutonomousSystemNumber
// Optional: Filtering for specific SessionId
//| where SessionId == @"<SessionId>"
| sort by CreatedDateTime ascExplanation
This query is designed to analyze and correlate sign-in events with network access traffic, focusing on token protection status and global secure access. Here's a simplified breakdown:
-
Data Sources: The query combines data from two sources:
SigninLogsandAADNonInteractiveUserSignInLogs. These logs contain information about user sign-ins. -
Filtering:
- It optionally allows filtering by a specific user, time window, and successful sign-ins.
- It specifically looks at sign-ins to the user's home tenant.
-
Device and Token Details:
- The query extracts and formats device details, such as
DeviceIdandDeviceName. - It also extracts token protection status details, focusing on the
SignInSessionStatus.
- The query extracts and formats device details, such as
-
Correlation with Network Access Traffic:
- The query joins the sign-in data with
NetworkAccessTrafficlogs using common fields likeUserId,DeviceId,UniqueTokenIdentifier, andIPAddress. - This helps in identifying network access events related to token endpoint requests.
- The query joins the sign-in data with
-
Output:
- The final output includes various details such as the time of creation, session ID, token type, session status, application names, client app used, and network details.
- It sorts the results by the creation date and time in ascending order.
Overall, this query helps in understanding the relationship between sign-in events and network access activities, with a focus on token protection and secure access mechanisms.
Details

Thomas Naunheim
Released: August 19, 2025
Tables
SigninLogsAADNonInteractiveUserSignInLogsNetworkAccessTraffic
Keywords
SigninLogsAADNonInteractiveUserSignInLogsDeviceDetailTokenProtectionStatusNetworkAccessTrafficGlobalSecureAccessUserDeviceTokenEndpointNetworkAccessTrafficSessionAutonomousSystemNumberLocationIPAddress
Operators
unionwhereextendiffisemptytodynamictostringtolowertoupperjoinprojectsort