KQL Search

Query Details

Refresh Token Reuse Intune

Query

id: 5a6f1c3e-2a1b-4c9e-9f01-11a2b3c4d508
name: Intune - Possible refresh token / PRT reuse accessing Intune resource
description: |
  Detects non-interactive token redemption for Intune / Device Management resources from
  an IP or ASN not previously associated with the user, where MFA was not freshly performed.
  This pattern is characteristic of stolen refresh-token / PRT replay (token-theft).
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADNonInteractiveUserSignInLogs
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - CredentialAccess
  - LateralMovement
relevantTechniques:
  - T1528
  - T1550.001
query: |
  let NetworkAllowlist = _GetWatchlist('NetworkAllowlist') | project IPRange = tostring(SearchKey);
  let AllowedRanges = toscalar(NetworkAllowlist | summarize make_list(IPRange));
  let intuneResources = dynamic([
      "Microsoft Intune","Microsoft Intune API","Device Management",
      "Windows 365","Microsoft Graph"
  ]);
  let baseline =
      AADNonInteractiveUserSignInLogs
      | where TimeGenerated between (ago(14d) .. ago(1h))
      | summarize KnownIPs = make_set(IPAddress, 500), KnownASNs = make_set(tostring(AutonomousSystemNumber), 50)
                by UPN = tolower(UserPrincipalName);
  AADNonInteractiveUserSignInLogs
  | where TimeGenerated > ago(1h)
  | where ResultType == 0
  | where not(ipv4_is_in_any_range(tostring(IPAddress), AllowedRanges))
  | where ResourceDisplayName has_any (intuneResources)
  | extend UPN = tolower(UserPrincipalName), ASN = tostring(AutonomousSystemNumber)
  | extend AuthDetails = tostring(AuthenticationDetails)
  | where AuthDetails !has "Multifactor"  // token used without fresh MFA
  | join kind=leftouter baseline on UPN
  | where isnull(KnownIPs) or (not(set_has_element(KnownIPs, IPAddress)) and not(set_has_element(KnownASNs, ASN)))
  | project TimeGenerated, UPN, IPAddress, ASN, ResourceDisplayName, AppDisplayName,
            UserAgent, Location=tostring(parse_json(tostring(LocationDetails)).countryOrRegion)
  | extend AccountCustomEntity = UPN, IPCustomEntity = IPAddress
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

Explanation

This query is designed to detect suspicious activity related to the use of refresh tokens or Primary Refresh Tokens (PRTs) in accessing Intune or Device Management resources. Here's a simplified breakdown:

  1. Purpose: The query identifies instances where a user accesses Intune resources without recent Multi-Factor Authentication (MFA) from an IP address or Autonomous System Number (ASN) that hasn't been previously associated with that user. This could indicate token theft and unauthorized access.

  2. Severity: The alert generated by this query is considered high severity because it may indicate credential theft and unauthorized access.

  3. Data Source: It uses data from Azure Active Directory's non-interactive user sign-in logs.

  4. Frequency and Period: The query runs every hour and looks back over the past 14 days to establish a baseline of known IPs and ASNs for each user.

  5. Detection Logic:

    • It first establishes a list of known IP addresses and ASNs for each user over the past 14 days.
    • It then checks for any new sign-ins in the last hour.
    • It filters out sign-ins that were successful (ResultType == 0) and not from allowed IP ranges.
    • It focuses on sign-ins to specific Intune-related resources.
    • It checks if these sign-ins occurred without recent MFA.
    • It flags sign-ins from IPs or ASNs not previously associated with the user.

  6. Output: The query outputs details like the time of access, user principal name (UPN), IP address, ASN, resource accessed, application name, user agent, and location.

  7. Entity Mapping: It maps the user and IP address to entities for further investigation.

  8. Version and Status: The query is version 1.0.0 and is currently available as a scheduled task.

In summary, this query helps identify potential unauthorized access to Intune resources by detecting anomalies in token usage patterns, which could suggest credential theft.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

AADNonInteractiveUserSignInLogs

Keywords

IntuneDeviceManagementUserIPASNTokenAuthenticationLocationAccount

Operators

letprojecttoscalardynamicsummarizemake_settolowerbetweenagohas_anyextendtostringjoinkind=leftouterisnullnotset_has_elementipv4_is_in_any_rangeparse_jsonwhere==!has!andor>..

Actions