Legacy Auth Signin
Query
//Sign in Legacy authentication Azure AD
SigninLogs
| where TimeGenerated > ago(2d)
| where not(ClientAppUsed has "Mobile Apps and Desktop clients")
| where not(ClientAppUsed has "Browser")
| where (ClientAppUsed has "Exchange Web Services")
| summarize arg_max(TimeGenerated,*) by UserPrincipalNameExplanation
This query is looking at sign-in logs in Azure AD for the past 2 days. It filters out sign-ins from mobile apps, desktop clients, and browsers. It then looks for sign-ins using Exchange Web Services and summarizes the latest sign-in for each user by their UserPrincipalName.
Details

Rod Trent
Released: July 16, 2021
Tables
SigninLogs
Keywords
SigninLogsTimeGeneratedClientAppUsedMobile Apps and Desktop clientsBrowserExchange Web ServicesUserPrincipalName
Operators
wherenothasagosummarizearg_maxby