HUNT-08 ADFS Sign-in to Privileged Azure AD Action Correlation (30d)
HUNT 08 ADFS Auth To Privileged Action 30d
Query
let PrivOps = dynamic([
"Add member to role", "Add app role assignment to user",
"Add eligible member to role", "Add owner to application",
"Add service principal credentials", "Reset user password",
"Update user", "Disable Strong Authentication",
"Update conditional access policy", "Delete conditional access policy"
]);
let Auths = ADFSSignInLogs
| invoke ExcludeAllowlistedIPs()
| where TimeGenerated > ago(30d)
| where ResultType == 0
| project AuthTime = TimeGenerated, UserPrincipalName, IPAddress, Location;
AuditLogs
| where TimeGenerated > ago(30d)
| where OperationName in (PrivOps)
| where Result =~ "success"
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| where isnotempty(Actor)
| join kind=inner (Auths) on $left.Actor == $right.UserPrincipalName
| where TimeGenerated between (AuthTime .. AuthTime + 1h)
| project
TimeGenerated, Actor, OperationName, IPAddress, Location,
AuthTime,
TargetResources, AdditionalDetails
| order by TimeGenerated descExplanation
This query is designed to identify potential security threats by correlating successful sign-ins through Active Directory Federation Services (ADFS) with privileged actions in Azure Active Directory (Azure AD) within a one-hour window. Here's a simplified breakdown:
-
Purpose: The query aims to detect if a user who successfully signed in via ADFS subsequently performed any high-privilege actions in Azure AD, which could indicate a compromised account.
-
Severity: The query is marked as high severity, indicating the importance of the potential security threat it is designed to detect.
-
Data Sources: It uses data from two sources:
- ADFSSignInLogs: Logs of sign-ins through ADFS.
- AuditLogs: Logs of actions performed in Azure AD.
-
Time Frame: The query looks at data from the past 30 days.
-
Privileged Operations: It focuses on specific high-privilege operations such as adding members to roles, resetting passwords, and updating conditional access policies.
-
Process:
- It first filters ADFS sign-in logs to exclude any allowlisted IPs and only considers successful sign-ins.
- It then filters Azure AD audit logs for successful privileged operations.
- The query joins these two datasets to find cases where a user who signed in via ADFS performed a privileged action within one hour of signing in.
-
Output: The results include details such as the time of the action, the user (Actor), the operation performed, the IP address, location, and additional details about the target resources.
-
Use Case: This query is useful for security teams to investigate and understand the potential impact (blast radius) of a suspected federated account compromise, focusing on privilege escalation and persistence tactics.
Details

David Alonso
Released: May 13, 2026
Tables
Keywords
Operators
Severity
HighTactics