Hunt Domains With Seamless Sso Enabled

# *Hunt domains with Seamless SSO enabled in Entra ID Connect* ## Query Information #### MITRE ATT&CK Technique(s) N/A #### Description With below KQL query you can search through the IdentityLogon events of Microsoft Defender for Identity to find users and devices still using Seamless SSO in Entra ID Connect. This feature has been marked by the community multiple times as a security risk, and should be disabled if not in use. The KQL query returns the domains where Seamless SSO is enabled, allong with the related users and devices. On top of that, devices get enriched to find their OS distribution, version, and join type and tells you if Seamless SSO is expected to be used for the related device or not. If there are no results or if all results are showing 'No' for the 'Seamless SSO Expected' column, it should be save to disable the feature in Entra ID connect. !**Important**: This query relies on the Domain Controller EventID 4769 and Defender for Identity. Make sure the EventID is being logged and Defender for Identity is healthy. For more information see references! #### Risk See reference for impacted scenario's. #### Author <Optional> - **Name:** Robbe Van den Daele - **Github:** https://github.com/RobbeVandenDaele - **Twitter:** https://x.com/RobbeVdDaele - **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/ - **Website:** https://hybridbrothers.com/ #### References - https://nathanmcnulty.com/blog/2025/08/finding-seamless-sso-usage/# - https://ourcloudnetwork.com/why-you-should-disable-seamless-sso-in-microsoft-entra-connect/ ## Defender XDR ```KQL // Get all device info we can find let devices = ( DeviceInfo // Search for 14 days | where TimeGenerated > ago(14d) // Normalize DeviceName // --> if it is an IP Address we keep it // --> If it is not an IP Address we only use the hostname for correlation | extend DeviceName = iff(ipv4_is_private(DeviceName), DeviceName, tolower(split(DeviceName, ".")[0])) // Only get interesting data | distinct DeviceName, OSPlatform, OSVersion, DeviceId, OnboardingStatus, Model, JoinType ); IdentityLogonEvents // Get the last 30 days of logon events on Domain Controllers | where TimeGenerated > ago(30d) // Search for Seamless SSO events | where Application == "Active Directory" and Protocol == "Kerberos" | where TargetDeviceName == "AZUREADSSOACC" // Save the domain name of the Domain Controller | extend OnPremisesDomainName = strcat(split(DestinationDeviceName, ".")[-2], ".", split(DestinationDeviceName, ".")[-1]) // Normalize DeviceName // --> if it is an IP Address we keep it // --> If it is not an IP Address we only use the hostname for correlation | extend DeviceName = iff(ipv4_is_private(DeviceName), DeviceName, tolower(split(DeviceName, ".")[0])) // Only use interesting data and find more info regarding the source device | distinct AccountUpn, OnPremisesDomainName, DeviceName | join kind=leftouter devices on DeviceName | project-away DeviceName1 // Check if Seamless SSO usage is expected | extend ['Seamless SSO Expected'] = case( // Cases where we do not expect Seamless SSO to be used JoinType == "Hybrid Azure AD Join" or JoinType == "AAD Joined" or JoinType == "AAD Registered", "No", // Cases where we do expect Seamless SSO to be used JoinType == "Domain Joined" or (OSPlatform startswith "Windows" and toreal(OSVersion) < 10.0) , "Yes", // Cases that need to be verified "Unknown (to verify)" ) ```

Explanation

This KQL query is designed to identify domains where Seamless Single Sign-On (SSO) is enabled in Entra ID Connect by analyzing logon events from Microsoft Defender for Identity. Here's a simplified breakdown of what the query does:

Device Information Collection:
- The query first gathers information about devices from the DeviceInfo table, focusing on data from the last 14 days. It normalizes device names to ensure consistency, especially distinguishing between IP addresses and hostnames.
Logon Event Analysis:
- It then examines IdentityLogonEvents from the last 30 days, specifically looking for logon events related to Seamless SSO using the Kerberos protocol and targeting the "AZUREADSSOACC" device name.
Domain and Device Correlation:
- The query extracts the domain name from the destination device name and normalizes the source device name for correlation purposes.
- It joins this information with the previously collected device data to enrich the logon events with additional device details like OS platform, version, and join type.
Seamless SSO Expectation Check:
- The query evaluates whether Seamless SSO usage is expected based on the device's join type and operating system. For example, devices that are "Domain Joined" or running older versions of Windows are expected to use Seamless SSO, while others like "Hybrid Azure AD Join" or "AAD Joined" are not.
Output:
- The result is a list of domains with Seamless SSO enabled, along with related user and device information. It also indicates whether Seamless SSO usage is expected for each device.

The query helps identify potential security risks by highlighting where Seamless SSO is enabled and whether it is necessary, allowing administrators to decide if the feature should be disabled.

Details

Robbe Van den Daele

Released: August 26, 2025

Tables

DeviceInfoIdentityLogonEvents

Keywords

DevicesEntraIDConnectMicrosoftDefenderIdentityUsersDomainsOSDistributionVersionJoinTypeDomainControllerEventID4769ActiveDirectoryKerberosAzureADSSOAccount

Operators

letwhereagoextendiffipv4_is_privatetolowersplitdistinctjoinkindleftouterproject-awaycasestartswithtorealstrcat

KQL Search