KQL Search

Query Details

HomeAI ToolsDevice Query

Sign In Attempts Using Deprecated TLS Versions

Query

**Sign-in Attempts Using Deprecated TLS Versions**

**Description:**  This query identifies Azure AD sign-ins that are using legacy TLS versions (below TLS 1.2). It highlights the accounts, devices, and applications involved, providing visibility into insecure protocol usage. Tracking these events helps detect weak encryption risks and enables proactive remediation to enforce modern, secure standards. 

```
AADSignInEventsBeta
| where ErrorCode == 0
| mv-apply d = parse_json(AuthenticationProcessingDetails) on (
    extend key = tostring(d.key), value = tostring(d.value)
    | summarize details = make_bag(pack(key, value))
)
| extend LegacyTLS = tostring(details['Legacy TLS (TLS 1.0, 1.1, 3DES)'])
| where tolower(LegacyTLS) == "true"
| summarize Sessions = count()  
    by AccountUpn, ApplicationId, UserAgent, Timestamp,ReportId
| order by Sessions desc 
```

Explanation

This query is designed to identify and report on Azure Active Directory (Azure AD) sign-in attempts that are using outdated and insecure versions of the TLS (Transport Layer Security) protocol, specifically versions below TLS 1.2. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at sign-in events from Azure AD.

  2. Filter for Successful Sign-ins: It filters the data to include only successful sign-ins (where ErrorCode is 0).

  3. Extract Authentication Details: It processes the authentication details to extract specific information about the protocol used during the sign-in.

  4. Identify Deprecated TLS Usage: It checks if the sign-in used deprecated TLS versions (TLS 1.0, TLS 1.1, or 3DES) by looking for a specific flag (Legacy TLS) in the authentication details.

  5. Count and Group Sign-ins: It counts how many sign-ins used these outdated protocols and groups the results by user account, application, device (user agent), and time of the sign-in.

  6. Order Results: Finally, it orders the results by the number of sessions, showing the most frequent occurrences first.

This query helps organizations identify weak encryption practices in their Azure AD sign-ins, allowing them to take action to enforce more secure, modern encryption standards.

Details

Sergio Albea profile picture

Sergio Albea

Released: September 16, 2025

Tables

AADSignInEventsBeta

Keywords

AzureADSign-insAccountsDevicesApplicationsEncryptionRisksStandards

Operators

|where==mv-apply=parse_json()on(extendtostring()summarizemake_bag()pack())byorder bydesc,

Actions