Users Authenticating To Other Azure AD Tenants

Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.defense-evasion attack.initial-access attack.t1078.004 ·

Share on:

Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.

Sigma rule (View on GitHub)

 1title: Users Authenticating To Other Azure AD Tenants
 2id: 5f521e4b-0105-4b72-845b-2198a54487b9
 3status: test
 4description: Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.
 5references:
 6    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
 7author: MikeDuddington, '@dudders1'
 8date: 2022-06-30
 9tags:
10    - attack.privilege-escalation
11    - attack.persistence
12    - attack.defense-evasion
13    - attack.initial-access
14    - attack.t1078.004
15logsource:
16    product: azure
17    service: signinlogs
18detection:
19    selection:
20        Status: 'Success'
21        HomeTenantId: 'HomeTenantID'
22    filter:
23        ResourceTenantId|contains: 'HomeTenantID'
24    condition: selection and not filter
25falsepositives:
26    - If this was approved by System Administrator.
27level: medium

References

Microsoft Entra security operations for user accounts - Microsoft Entra

Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.

Read More

Users Authenticating To Other Azure AD Tenants

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for user accounts - Microsoft Entra

Related rules