Risky sign-in events to Azure Portal without applied Conditional Access Policies.
Risky Sign In To Azure Portal
Query
union AADNonInteractiveUserSignInLogs, SigninLogs
| where ConditionalAccessStatus == "notApplied" and ResultType == "0"
| where RiskLevelDuringSignIn != "none" or RiskLevelAggregated != "none"
// Azure Portal: c44b4083-3bb0-49c1-b47d-974e53cbdf3c
| where AppId in ("c44b4083-3bb0-49c1-b47d-974e53cbdf3c")
| project timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, AppDisplayName, RiskLevelDuringSignIn, RiskLevelAggregated, RiskDetail, RiskState, IsRisky, OriginalRequestIdExplanation
This query is designed to identify risky sign-in events to the Azure Portal where Conditional Access Policies were not applied. It checks Azure Active Directory sign-in logs for instances where:
- Conditional Access Policies were not applied (
ConditionalAccessStatus == "notApplied"). - The sign-in was successful (
ResultType == "0"). - There was some level of risk associated with the sign-in (
RiskLevelDuringSignIn != "none"orRiskLevelAggregated != "none"). - The sign-in was specifically to the Azure Portal (identified by the AppId).
The query runs every hour and looks back over the past hour to find any such events. If it finds any, it triggers an alert. The results include details like the timestamp, user account, IP address, application name, risk levels, risk details, and the original request ID. The query is part of a scheduled task and is associated with the "Initial Access" tactic and the "T1078" technique, which relates to valid accounts being used for access.
Details

Thomas Naunheim
Released: November 18, 2023
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques
Frequency: 1h
Period: 1h