HUNT-06 ADFS Legacy / Basic Auth Protocols (30d)
HUNT 06 ADFS Legacy Auth Protocols 30d
Query
let LegacyProtocols = dynamic([
"Other clients", "POP", "IMAP", "SMTP", "MAPI", "Exchange ActiveSync",
"Authenticated SMTP", "Exchange Web Services"
]);
ADFSSignInLogs
| invoke ExcludeAllowlistedIPs()
| where TimeGenerated > ago(30d)
| where isnotempty(ClientAppUsed)
| where ClientAppUsed in (LegacyProtocols)
or ClientAppUsed startswith "Other"
| summarize
Attempts = count(),
SuccessfulAuth = countif(ResultType == 0),
UniqueIPs = dcount(IPAddress),
IPs = make_set(IPAddress, 25),
Protocols = make_set(ClientAppUsed, 10),
Countries = make_set(Location, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| order by SuccessfulAuth desc, Attempts descExplanation
This query is designed to identify and analyze ADFS (Active Directory Federation Services) sign-ins that use legacy authentication protocols, which bypass Multi-Factor Authentication (MFA). These protocols include POP, IMAP, SMTP, MAPI, and others. The purpose is to help with governance and identify users who are still using outdated authentication methods that should be updated to modern ones.
Here's a breakdown of what the query does:
-
Define Legacy Protocols: It starts by listing legacy authentication protocols that are considered outdated.
-
Filter ADFS Sign-In Logs: It retrieves sign-in logs from the last 30 days, excluding any IPs that are on an allowlist.
-
Identify Legacy Protocol Usage: It filters the logs to find entries where the client application used for sign-in matches one of the legacy protocols.
-
Summarize Data: For each user, it summarizes the data by counting the total number of sign-in attempts, successful authentications, unique IP addresses used, and lists of IPs, protocols, and countries involved. It also records the first and last time these sign-ins were seen.
-
Order Results: Finally, it orders the results by the number of successful authentications and total attempts in descending order.
This query is useful for detecting potential security risks associated with legacy authentication methods and helps organizations transition to more secure, modern authentication protocols.
Details

David Alonso
Released: May 13, 2026
Tables
Keywords
Operators
Severity
MediumTactics