KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Visualize Legacy Auth

Query

//Visualize distinct users allowed to connect via legacy auth vs blocked by conditional access

//Data connector required for this query - Azure Active Directory - Signin Logs

//Microsoft Sentinel query
SigninLogs
| where TimeGenerated > ago(180d)
| where ResultType in ("0", "53003")
| where ClientAppUsed in ("Exchange ActiveSync", "Exchange Web Services", "AutoDiscover", "Unknown", "POP3", "IMAP4", "Other clients", "Authenticated SMTP", "MAPI Over HTTP", "Offline Address Book")
| summarize
    ['Legacy Auth Users Allowed']=dcountif(UserPrincipalName, ResultType == 0),
    ['Legacy Auth Users Blocked']=dcountif(UserPrincipalName, ResultType == 53003)
    by bin(TimeGenerated, 1d)
| render timechart with (title="Legacy auth distinct users allowed vs blocked by Conditional Access")

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting with Azure AD P2 License

//Visualize distinct users allowed to connect via legacy auth vs blocked by conditional access
AADSignInEventsBeta
| where Timestamp > ago(180d)
| where ErrorCode  in ("0", "53003")
| where ClientAppUsed in ("Exchange ActiveSync", "Exchange Web Services", "AutoDiscover", "Unknown", "POP3", "IMAP4", "Other clients", "Authenticated SMTP", "MAPI Over HTTP", "Offline Address Book")
| summarize
    ['Legacy Auth Users Allowed']=dcountif(AccountUpn, ErrorCode == 0),
    ['Legacy Auth Users Blocked']=dcountif(AccountUpn, ErrorCode == 53003)
    by bin(Timestamp, 1d)
| render timechart

Explanation

The query is visualizing the number of distinct users allowed to connect via legacy authentication and the number of users blocked by conditional access. It uses two different data connectors, one for Azure Active Directory Signin Logs and another for Advanced Hunting with Azure AD P2 License. The query filters the data based on a specific time range and specific client applications used for authentication. It then summarizes the count of users allowed and blocked by legacy authentication and conditional access, grouping the results by day. Finally, it renders a time chart to display the trend over time.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SigninLogsAADSignInEventsBeta

Keywords

SigninLogs,TimeGenerated,ResultType,ClientAppUsed,UserPrincipalName,LegacyAuthUsersAllowed,LegacyAuthUsersBlocked AADSignInEventsBeta,Timestamp,ErrorCode,ClientAppUsed,AccountUpn,LegacyAuthUsersAllowed,LegacyAuthUsersBlocked

Operators

whereagoindcountifbybinrender

Actions