KQL Search

Query Details

HomeAI ToolsDevice Query

Hunt MSOL Azure AD Connect Or Entra Sync Servers

Query

# *Hunt MSOL Azure AD Connect / Entra Sync servers*

## Query Information

#### MITRE ATT&CK Technique(s)

N/A

#### Description
Microsoft announced that starting from April 30 2025, Microsoft Entra Connect will need to have the minimal version of 2.4.18.0. If you want to identitify if you still have an AD Connect or Entra Sync server with a lower version, you can use below KQL query. 

#### Risk
See reference for impacted scenario's. 

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/harden-update-ad-fs-pingfederate
- https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-upgrade-previous-version

## Defender XDR
```KQL
DeviceTvmSoftwareInventory
| where SoftwareVendor == "microsoft"
| where SoftwareName in ("microsoft_entra_connect_sync", "microsoft_azure_ad_connect")
| distinct DeviceName, SoftwareName, SoftwareVendor, SoftwareVersion
| extend MSOnlineDepricationSafe = iff(
    parse_version(SoftwareVersion) < parse_version("2.4.18.0"),
    "No",
    "Yes"
)
```

## Sentinel
```KQL
DeviceTvmSoftwareInventory
| where SoftwareVendor == "microsoft"
| where SoftwareName in ("microsoft_entra_connect_sync", "microsoft_azure_ad_connect")
| distinct DeviceName, SoftwareName, SoftwareVendor, SoftwareVersion
| extend MSOnlineDepricationSafe = iff(
    parse_version(SoftwareVersion) < parse_version("2.4.18.0"),
    "No",
    "Yes"
)
```

Explanation

This query is designed to identify Microsoft Entra Connect or Azure AD Connect servers that are running versions lower than 2.4.18.0. This is important because, starting from April 30, 2025, Microsoft requires these servers to be at least version 2.4.18.0 to ensure compatibility and security.

Here's a simple breakdown of what the query does:

  1. Data Source: It looks at the DeviceTvmSoftwareInventory table, which contains information about software installed on devices.

  2. Filter by Vendor: It filters the data to only include software from Microsoft.

  3. Filter by Software Name: It further narrows down the results to only include entries for "microsoft_entra_connect_sync" and "microsoft_azure_ad_connect".

  4. Select Unique Entries: It selects distinct combinations of device name, software name, vendor, and version to avoid duplicate entries.

  5. Check Version Compliance: It adds a new column called MSOnlineDepricationSafe to indicate whether the software version is compliant with the upcoming requirement. If the version is below 2.4.18.0, it marks it as "No" (not safe), otherwise "Yes" (safe).

This query helps organizations identify which of their servers need to be updated to meet Microsoft's future requirements.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: June 12, 2025

Tables

DeviceTvmSoftwareInventory

Keywords

DeviceSoftwareVersionVendor

Operators

|whereindistinctextendiffparse_version<

Actions