Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration

calendar Jun 18, 2026 · Domain: Cloud Domain: Identity Data Source: Azure Data Source: Microsoft Entra ID Data Source: Microsoft Entra ID Sign-in Logs Data Source: Azure AD Graph Data Source: Azure AD Graph Activity Logs Use Case: Identity and Access Audit Use Case: Threat Detection Tactic: Credential Access Tactic: Initial Access Tactic: Discovery Resources: Investigation Guide  ·
Share on: linkedin copy

Correlates a successful Entra ID device-code sign-in to the legacy Azure AD Graph audience (00000002-0000-0000-c000-000000000000) from an unmanaged device with directory enumeration against graph.windows.net by the same user within a short window. Device-code phishing is the dominant OAuth phishing variant against Microsoft tenants: the adversary initiates the flow, relays the user-facing code to the victim, and on redemption walks away with an access or refresh token bound to the targeted resource without ever handling the user's password or MFA factor. When the redeemed audience is AAD Graph and the redeeming device is unmanaged, the follow-on Graph traffic is the compromised cloud account being used by the attacker, not by the user. This rule fires when that token is immediately turned around against the directory under the same identity to read user, group, service principal, application, role assignment, directory object, policy, OAuth permission grant, or tenant detail collections.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/05/22"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2026/05/22"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Correlates a successful Entra ID device-code sign-in to the legacy Azure AD Graph audience
 11(00000002-0000-0000-c000-000000000000) from an unmanaged device with directory enumeration against graph.windows.net by
 12the same user within a short window. Device-code phishing is the dominant OAuth phishing variant against Microsoft
 13tenants: the adversary initiates the flow, relays the user-facing code to the victim, and on redemption walks away with
 14an access or refresh token bound to the targeted resource without ever handling the user's password or MFA factor. When
 15the redeemed audience is AAD Graph and the redeeming device is unmanaged, the follow-on Graph traffic is the compromised
 16cloud account being used by the attacker, not by the user. This rule fires when that token is immediately turned around
 17against the directory under the same identity to read user, group, service principal, application, role assignment,
 18directory object, policy, OAuth permission grant, or tenant detail collections.
 19"""
 20false_positives = [
 21    """
 22    Authorized red team or audit activity (ROADrecon, ROADtools, AADInternals, roadtx). Document the engagement window
 23    and add exceptions on the calling user.
 24    """,
 25    """
 26    A developer or operator legitimately running first-party tooling under the device-code flow that then enumerates
 27    directory objects during onboarding or troubleshooting. Validate the calling app and source IP and exclude as
 28    appropriate.
 29    """,
 30]
 31from = "now-9m"
 32index = ["logs-azure.signinlogs-*", "logs-azure.aadgraphactivitylogs-*"]
 33language = "eql"
 34license = "Elastic License v2"
 35name = "Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration"
 36note = """## Triage and analysis
 37
 38### Investigating Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration
 39
 40Device-code phishing redeems an OAuth access token directly into the adversary's hands without
 41ever touching the victim's password or MFA factor. When the redemption targets the legacy AAD
 42Graph audience from an unmanaged device, the resulting token is overwhelmingly used to drive
 43directory recon under the compromised identity. ROADrecon / ROADtools, AADInternals
 44(`Get-AADIntTenantDetails`, `Get-AADIntUsers`), and manual `roadtx` flows all match this shape.
 45
 46### Possible investigation steps
 47
 48- Confirm the sign-in shape.
 49    - `azure.signinlogs.properties.authentication_protocol` is `deviceCode`.
 50    - `azure.signinlogs.properties.resource_id` is `00000002-0000-0000-c000-000000000000` (legacy AAD Graph audience).
 51    - `azure.signinlogs.properties.device_detail.is_managed` is `false`.
 52- Identify the calling client used to drive the device-code grant.
 53    - `azure.signinlogs.properties.app_id`, `azure.signinlogs.properties.app_display_name`.
 54    - FOCI / pre-consented Microsoft clients (Teams, Office, Azure CLI, Azure PowerShell) are the canonical ride-along clients for device-code phishing because they bypass app consent.
 55- Review source posture for the redemption and the Graph follow-on independently.
 56    - `source.ip`, `source.as.organization.name`, `source.geo.country_name`. Residential / VPS / anonymising-network egress raises priority.
 57    - A code redeemed from one IP and Graph driven from another is a strong adversary-in-the-middle signal: the user clicked, the attacker is now driving the session.
 58- Review what was queried on the Graph side.
 59    - `url.path` on the second event. `applicationRefs`, `eligibleRoleAssignments`, and `directoryObjects` casts (`$/Microsoft.DirectoryServices.ServicePrincipal`) are the textbook ROADrecon signature; `tenantDetails` from an `AADInternals` user-agent is the AADInternals signature.
 60- Check the API version on the Graph call.
 61    - `azure.aadgraphactivitylogs.properties.api_version`. `1.61-internal` is a strong tooling indicator and returns data the public surface withholds (Conditional Access policies, MFA configuration on user objects).
 62- Pivot to surrounding sign-ins for the same user. Other device-code redemptions to Microsoft Graph, Azure Resource Manager, or Exchange in the same window suggest the attacker is multi-homing the token harvest.
 63- Confirm the activity is not attributable to authorized testing before treating as malicious.
 64
 65### Response and remediation
 66
 67- Revoke refresh tokens and active sessions for the compromised user.
 68    - `POST /v1.0/users/{id}/revokeSignInSessions`.
 69- Temporarily disable the user if the alert is high-confidence or you need to halt further activity while investigation continues.
 70    - `PATCH /v1.0/users/{id}` with body `{"accountEnabled": false}`.
 71- Check for device registrations created by the user during or around the burst window and remove rogue devices.
 72    - `GET /v1.0/users/{id}/registeredDevices` and `GET /v1.0/users/{id}/ownedDevices`, then `DELETE /v1.0/devices/{deviceObjectId}`.
 73    - Do this BEFORE session revocation: device-bound PRTs survive `revokeSignInSessions`.
 74- If the calling application has no legitimate AAD Graph dependency, block further use by that app.
 75    - `PATCH /beta/applications/{id}` with body `{"authenticationBehaviors": {"blockAzureADGraphAccess": true}}`.
 76    - This property lives on the Graph beta endpoint, not v1.0.
 77- Apply Conditional Access targeting the device-code grant: require a managed / compliant device or block the device-code grant outside of explicitly approved app + user populations.
 78"""
 79references = [
 80    "https://github.com/dirkjanm/ROADtools",
 81    "https://github.com/Gerenios/AADInternals",
 82    "https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview",
 83]
 84risk_score = 73
 85rule_id = "aa04377a-19b5-4940-952f-aad173790d23"
 86setup = """#### Microsoft Entra ID Sign-in Logs and Azure AD Graph Activity Logs
 87Requires both data streams ingested via the Elastic Azure integration:
 88- Microsoft Entra ID sign-in logs into `logs-azure.signinlogs-*` (enable the `SignInLogs` diagnostic-settings category on Entra ID).
 89- Azure AD Graph Activity Logs into `logs-azure.aadgraphactivitylogs-*` (enable the `AzureADGraphActivityLogs` diagnostic-settings category on Entra ID).
 90"""
 91severity = "high"
 92tags = [
 93    "Domain: Cloud",
 94    "Domain: Identity",
 95    "Data Source: Azure",
 96    "Data Source: Microsoft Entra ID",
 97    "Data Source: Microsoft Entra ID Sign-in Logs",
 98    "Data Source: Azure AD Graph",
 99    "Data Source: Azure AD Graph Activity Logs",
100    "Use Case: Identity and Access Audit",
101    "Use Case: Threat Detection",
102    "Tactic: Credential Access",
103    "Tactic: Initial Access",
104    "Tactic: Discovery",
105    "Resources: Investigation Guide",
106]
107timestamp_override = "event.ingested"
108type = "eql"
109
110query = '''
111sequence by user.id, azure.tenant_id with maxspan=5m
112[authentication where
113    data_stream.dataset == "azure.signinlogs" and
114    event.outcome == "success" and
115    azure.signinlogs.properties.authentication_protocol == "deviceCode" and
116    azure.signinlogs.properties.device_detail.is_managed == false and
117    azure.signinlogs.properties.resource_id == "00000002-0000-0000-c000-000000000000"]
118[web where
119    data_stream.dataset == "azure.aadgraphactivitylogs" and
120    url.path : (
121        "*/users*",
122        "*/groups*",
123        "*/servicePrincipals*",
124        "*/applications*",
125        "*/applicationRefs*",
126        "*/devices*",
127        "*/directoryRoles*",
128        "*/roleAssignments*",
129        "*/eligibleRoleAssignments*",
130        "*/roleDefinitions*",
131        "*/directoryObjects*",
132        "*/policies*",
133        "*/oauth2PermissionGrants*",
134        "*/administrativeUnits*",
135        "*/tenantDetails*",
136        "*/directorySettingTemplates*",
137        "*/me*"
138    )]
139'''
140
141
142[[rule.threat]]
143framework = "MITRE ATT&CK"
144[[rule.threat.technique]]
145id = "T1528"
146name = "Steal Application Access Token"
147reference = "https://attack.mitre.org/techniques/T1528/"
148
149
150[rule.threat.tactic]
151id = "TA0006"
152name = "Credential Access"
153reference = "https://attack.mitre.org/tactics/TA0006/"
154[[rule.threat]]
155framework = "MITRE ATT&CK"
156[[rule.threat.technique]]
157id = "T1078"
158name = "Valid Accounts"
159reference = "https://attack.mitre.org/techniques/T1078/"
160[[rule.threat.technique.subtechnique]]
161id = "T1078.004"
162name = "Cloud Accounts"
163reference = "https://attack.mitre.org/techniques/T1078/004/"
164
165
166
167[rule.threat.tactic]
168id = "TA0001"
169name = "Initial Access"
170reference = "https://attack.mitre.org/tactics/TA0001/"
171[[rule.threat]]
172framework = "MITRE ATT&CK"
173[[rule.threat.technique]]
174id = "T1069"
175name = "Permission Groups Discovery"
176reference = "https://attack.mitre.org/techniques/T1069/"
177[[rule.threat.technique.subtechnique]]
178id = "T1069.003"
179name = "Cloud Groups"
180reference = "https://attack.mitre.org/techniques/T1069/003/"
181
182
183[[rule.threat.technique]]
184id = "T1087"
185name = "Account Discovery"
186reference = "https://attack.mitre.org/techniques/T1087/"
187[[rule.threat.technique.subtechnique]]
188id = "T1087.004"
189name = "Cloud Account"
190reference = "https://attack.mitre.org/techniques/T1087/004/"
191
192
193[[rule.threat.technique]]
194id = "T1526"
195name = "Cloud Service Discovery"
196reference = "https://attack.mitre.org/techniques/T1526/"
197
198
199[rule.threat.tactic]
200id = "TA0007"
201name = "Discovery"
202reference = "https://attack.mitre.org/tactics/TA0007/"
203
204[rule.investigation_fields]
205field_names = [
206    "user.id",
207    "azure.tenant_id",
208    "azure.signinlogs.properties.user_principal_name",
209    "azure.signinlogs.properties.app_id",
210    "azure.signinlogs.properties.app_display_name",
211    "azure.signinlogs.properties.resource_id",
212    "azure.signinlogs.properties.authentication_protocol",
213    "azure.signinlogs.properties.device_detail.is_managed",
214    "azure.aadgraphactivitylogs.properties.app_id",
215    "azure.aadgraphactivitylogs.properties.api_version",
216    "url.path",
217    "user_agent.original",
218    "source.ip",
219    "source.as.organization.name",
220    "source.geo.country_name",
221]

Triage and analysis

Investigating Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration

Device-code phishing redeems an OAuth access token directly into the adversary's hands without ever touching the victim's password or MFA factor. When the redemption targets the legacy AAD Graph audience from an unmanaged device, the resulting token is overwhelmingly used to drive directory recon under the compromised identity. ROADrecon / ROADtools, AADInternals (Get-AADIntTenantDetails, Get-AADIntUsers), and manual roadtx flows all match this shape.

Possible investigation steps

  • Confirm the sign-in shape.
    • azure.signinlogs.properties.authentication_protocol is deviceCode.
    • azure.signinlogs.properties.resource_id is 00000002-0000-0000-c000-000000000000 (legacy AAD Graph audience).
    • azure.signinlogs.properties.device_detail.is_managed is false.
  • Identify the calling client used to drive the device-code grant.
    • azure.signinlogs.properties.app_id, azure.signinlogs.properties.app_display_name.
    • FOCI / pre-consented Microsoft clients (Teams, Office, Azure CLI, Azure PowerShell) are the canonical ride-along clients for device-code phishing because they bypass app consent.
  • Review source posture for the redemption and the Graph follow-on independently.
    • source.ip, source.as.organization.name, source.geo.country_name. Residential / VPS / anonymising-network egress raises priority.
    • A code redeemed from one IP and Graph driven from another is a strong adversary-in-the-middle signal: the user clicked, the attacker is now driving the session.
  • Review what was queried on the Graph side.
    • url.path on the second event. applicationRefs, eligibleRoleAssignments, and directoryObjects casts ($/Microsoft.DirectoryServices.ServicePrincipal) are the textbook ROADrecon signature; tenantDetails from an AADInternals user-agent is the AADInternals signature.
  • Check the API version on the Graph call.
    • azure.aadgraphactivitylogs.properties.api_version. 1.61-internal is a strong tooling indicator and returns data the public surface withholds (Conditional Access policies, MFA configuration on user objects).
  • Pivot to surrounding sign-ins for the same user. Other device-code redemptions to Microsoft Graph, Azure Resource Manager, or Exchange in the same window suggest the attacker is multi-homing the token harvest.
  • Confirm the activity is not attributable to authorized testing before treating as malicious.

Response and remediation

  • Revoke refresh tokens and active sessions for the compromised user.
    • POST /v1.0/users/{id}/revokeSignInSessions.
  • Temporarily disable the user if the alert is high-confidence or you need to halt further activity while investigation continues.
    • PATCH /v1.0/users/{id} with body {"accountEnabled": false}.
  • Check for device registrations created by the user during or around the burst window and remove rogue devices.
    • GET /v1.0/users/{id}/registeredDevices and GET /v1.0/users/{id}/ownedDevices, then DELETE /v1.0/devices/{deviceObjectId}.
    • Do this BEFORE session revocation: device-bound PRTs survive revokeSignInSessions.
  • If the calling application has no legitimate AAD Graph dependency, block further use by that app.
    • PATCH /beta/applications/{id} with body {"authenticationBehaviors": {"blockAzureADGraphAccess": true}}.
    • This property lives on the Graph beta endpoint, not v1.0.
  • Apply Conditional Access targeting the device-code grant: require a managed / compliant device or block the device-code grant outside of explicitly approved app + user populations.

References

Related rules

to-top