KQL Search

Query Details

HomeAI ToolsDevice Query

KQL To Check Privilege Admin Failing Microsoft CA MFA Enforcement

Query

// KQL to check Privilege Admin failing Microsoft CA MFA enforcement

let PrivilegeAdmin =
IdentityInfo
| where TimeGenerated > ago(14d)
| where AssignedRoles != "[]" and isnotnull(AssignedRoles)
| distinct AccountUPN;
SigninLogs
| where UserPrincipalName has_any(PrivilegeAdmin)
| where ResultType == "0"
| where ConditionalAccessPolicies != "[]"
| mv-expand ConditionalAccessPolicies
| extend CADisplayName = tostring(ConditionalAccessPolicies.displayName)
| extend CAResult = tostring(ConditionalAccessPolicies.result)
| where CADisplayName == "Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals"
| where CAResult == "reportOnlyFailure"

Explanation

This KQL query is designed to identify privileged admin accounts that have failed to comply with a specific Microsoft Conditional Access (CA) policy related to Multi-Factor Authentication (MFA) enforcement. Here's a simplified breakdown:

  1. Identify Privileged Admin Accounts:

    • The query first looks at the IdentityInfo table to find accounts that have been assigned any roles in the past 14 days.
    • It filters out accounts with no roles assigned and ensures the AssignedRoles field is not null.
    • It then collects the unique User Principal Names (UPNs) of these accounts.

  2. Check Sign-in Logs for MFA Enforcement Failures:

    • The query then checks the SigninLogs table for sign-in attempts by these privileged admin accounts.
    • It filters for successful sign-ins (ResultType == "0").
    • It looks for sign-ins where Conditional Access Policies were applied.
    • It expands the ConditionalAccessPolicies array to examine each policy individually.
    • It extracts the display name and result of each Conditional Access policy.
    • It specifically looks for the policy named "Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals".
    • Finally, it filters for cases where this policy resulted in a "reportOnlyFailure", indicating that the MFA requirement was not met.

In summary, this query identifies privileged admin accounts that have successfully signed in but failed to meet the MFA requirements enforced by a specific Microsoft Conditional Access policy within the last 14 days.

Details

Steven Lim profile picture

Steven Lim

Released: August 20, 2024

Tables

IdentityInfoSigninLogs

Keywords

IdentityInfoSigninLogsAccountUPNUserPrincipalNameConditionalAccessPoliciesCADisplayNameCAResult

Operators

let|>ago()!=andisnotnull()distincthas_any()==mv-expandextendtostring()

Actions