KQL To Check Privilege Admin Failing Microsoft CA MFA Enforcement
Query
// KQL to check Privilege Admin failing Microsoft CA MFA enforcement
let PrivilegeAdmin =
IdentityInfo
| where TimeGenerated > ago(14d)
| where AssignedRoles != "[]" and isnotnull(AssignedRoles)
| distinct AccountUPN;
SigninLogs
| where UserPrincipalName has_any(PrivilegeAdmin)
| where ResultType == "0"
| where ConditionalAccessPolicies != "[]"
| mv-expand ConditionalAccessPolicies
| extend CADisplayName = tostring(ConditionalAccessPolicies.displayName)
| extend CAResult = tostring(ConditionalAccessPolicies.result)
| where CADisplayName == "Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals"
| where CAResult == "reportOnlyFailure"
// MITRE ATT&CK Mapping
// The KQL query can be associated with the following MITRE ATT&CK techniques:
// T1078 - Valid Accounts:
// The query identifies privileged accounts and monitors their sign-in activities, which aligns with the use of valid accounts for persistence or privilege escalation1.
// T1078.003 - Valid Accounts: Cloud Accounts:
// Specifically focuses on cloud accounts, as it deals with Azure AD sign-in logs and conditional access policies1.
// T1110 - Brute Force:
// Monitoring failed conditional access policies can help detect brute force attempts where attackers try to bypass multi-factor authentication1.
// T1556 - Modify Authentication Process:
// The query checks for failures in multi-factor authentication policies, which could indicate attempts to modify or bypass the authentication process1.Explanation
This KQL query is designed to identify privileged admin accounts that have failed to comply with a specific Microsoft Conditional Access policy requiring multi-factor authentication (MFA) for accessing Microsoft Admin Portals. Here's a simple breakdown of what the query does:
-
Identify Privileged Admins:
- It first looks at the
IdentityInfotable to find accounts with assigned roles, indicating they have some level of privilege. It filters out any entries where the assigned roles are empty or null. - It collects the unique user principal names (UPNs) of these privileged accounts.
- It first looks at the
-
Check Sign-in Logs:
- It then examines the
SigninLogstable for sign-in attempts by these privileged accounts. - It filters for successful sign-ins (
ResultType == "0") where the conditional access policies are not empty.
- It then examines the
-
Evaluate Conditional Access Policies:
- The query expands the conditional access policies to check if any of them are named "Microsoft-managed: Multifactor authentication for admins accessing Microsoft Admin Portals".
- It specifically looks for cases where the result of this policy is "reportOnlyFailure", indicating that the MFA requirement was not enforced successfully.
-
Security Implications:
- The query helps in identifying potential security risks by detecting when privileged accounts fail to meet MFA requirements, which could be a sign of attempted unauthorized access or a misconfiguration.
-
MITRE ATT&CK Techniques:
- The query is linked to several MITRE ATT&CK techniques, such as:
- T1078 - Valid Accounts: Monitoring privileged accounts for potential misuse.
- T1078.003 - Valid Accounts: Cloud Accounts: Focuses on cloud-based accounts.
- T1110 - Brute Force: Detects potential brute force attempts to bypass MFA.
- T1556 - Modify Authentication Process: Identifies attempts to bypass or modify the authentication process.
- The query is linked to several MITRE ATT&CK techniques, such as:
In summary, this query is a security measure to monitor and ensure that privileged accounts comply with MFA policies, helping to prevent unauthorized access to sensitive admin portals.
Details

Steven Lim
Released: August 25, 2024
Tables
IdentityInfoSigninLogs
Keywords
IdentityInfoAssignedRolesAccountUPNSigninLogsUserPrincipalNameResultTypeConditionalAccessPoliciesDisplayNameResultMicrosoftAdminPortalsAzureADSignInLogsConditionalAccessPolicies
Operators
let|where>ago!=andisnotnulldistincthas_any==mv-expandextendtostring