Query Details
Entra Id Sign In Events Hunting Potential Seamless SSO Usage
Query
//This query is a replacement to https://github.com/jkerai1/KQL-Queries/blob/main/Defender/AADSignInEventsBeta%20-%20Hunting%20Potential%20Seamless%20SSO%20Usage.kql //This query is for those who do not ingest AADNonInteractiveSignins and don't have MDI but have Advanced Hunting available //You should disable Seamless SSO and favour SSO from the PRT instead i.e. Entra Join/Hybrid Join/Entra Register //Ref 1: https://ourcloudnetwork.com/why-you-should-disable-seamless-sso-in-microsoft-entra-connect/ //Ref 2: https://nathanmcnulty.com/blog/2025/08/finding-seamless-sso-usage/#:\~:text=The%20resulting-,Graph%20PowerShell,-will%20look%20like EntraIdSignInEvents | where ApplicationId == "" | where parse_json(LogonType)[0] == 'nonInteractiveUser' | where EndpointCall == @"WindowsAuthenticationController:sso" | summarize count() by AccountUpn,DeviceName,DeviceTrustType
Explanation
This query is designed to identify potential usage of Seamless Single Sign-On (SSO) in environments where certain data sources are not available, but Advanced Hunting is. It focuses on analyzing sign-in events to detect non-interactive user logins that utilize Windows Authentication for SSO. The query filters for events where the application ID is empty and the logon type is non-interactive. It then checks if the endpoint call is related to SSO. Finally, it summarizes the data by counting occurrences for each user account (AccountUpn), device name (DeviceName), and device trust type (DeviceTrustType). The goal is to help organizations consider disabling Seamless SSO in favor of other SSO methods like Entra Join, Hybrid Join, or Entra Register.
Details
Jay Kerai
Released: February 17, 2026
Tables
Keywords
Operators