User Access Blocked by Azure Conditional Access
Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
Sigma rule (View on GitHub)
1title: User Access Blocked by Azure Conditional Access
2id: 9a60e676-26ac-44c3-814b-0c2a8b977adf
3status: test
4description: |
5 Detect access has been blocked by Conditional Access policies.
6 The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
7references:
8 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
9author: AlertIQ
10date: 2021-10-10
11modified: 2022-12-25
12tags:
13 - attack.privilege-escalation
14 - attack.persistence
15 - attack.defense-evasion
16 - attack.credential-access
17 - attack.initial-access
18 - attack.t1110
19 - attack.t1078.004
20logsource:
21 product: azure
22 service: signinlogs
23detection:
24 selection:
25 ResultType: 53003
26 condition: selection
27falsepositives:
28 - Unknown
29level: medium
References
-
Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.
Read More
Related rules
- Bitbucket User Login Failure
- Failed Authentications From Countries You Do Not Operate Out Of
- Multifactor Authentication Denied
- Multifactor Authentication Interrupted
- Potential MFA Bypass Using Legacy Client Authentication