HUNT-10 ADFS Active Auth from Risky / Disabled Users (7d)
HUNT 10 ADFS Risky Or Disabled User Active Auth 7d
Query
let RiskyOrDisabled = IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where (isnotempty(RiskLevel) and RiskLevel !~ "none")
or IsAccountEnabled == false
| project AccountUPN, RiskLevel, IsAccountEnabled, JobTitle, Department;
ADFSSignInLogs
| invoke ExcludeAllowlistedIPs()
| where TimeGenerated > ago(7d)
| join kind=inner (RiskyOrDisabled) on $left.UserPrincipalName == $right.AccountUPN
| summarize
Attempts = count(),
SuccessfulAuth = countif(ResultType == 0),
UniqueIPs = dcount(IPAddress),
IPs = make_set(IPAddress, 25),
Countries = make_set(Location, 10),
Apps = make_set(AppDisplayName, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName, RiskLevel, IsAccountEnabled
| order by SuccessfulAuth desc, Attempts descExplanation
This query is designed to identify potentially suspicious activity related to ADFS (Active Directory Federation Services) sign-ins over the past seven days. It focuses on accounts that are either disabled or marked as risky in Azure Active Directory. Here's a simplified breakdown:
-
Purpose: The query aims to detect sign-ins from accounts that are either disabled or flagged as risky, which could indicate unauthorized access or credential misuse.
-
Data Sources: It uses data from Azure Active Directory, specifically the ADFSSignInLogs and IdentityInfo.
-
Process:
- Identify Risky or Disabled Accounts: It first identifies accounts that are either disabled or have a non-empty risk level (excluding "none").
- Filter Sign-In Logs: It then filters ADFS sign-in logs from the last seven days, excluding any IPs that are on an allowlist.
- Join Data: The query joins the filtered sign-in logs with the list of risky or disabled accounts.
- Summarize Activity: For each account, it summarizes the number of sign-in attempts, successful authentications, unique IP addresses, and other details like countries, applications used, and the first and last time the account was seen.
-
Output: The results are ordered by the number of successful authentications and total attempts, highlighting accounts with potentially unauthorized access.
-
Severity and Tactics: The query is marked with high severity and is associated with the persistence tactic, specifically related to the technique T1078, which involves valid accounts being used for unauthorized purposes.
Details

David Alonso
Released: May 13, 2026
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques