Data Source: Entra ID Sign-in

Entra ID User Sign-in with Unusual Client

Dec 19, 2025 · Domain: Cloud Domain: Identity Data Source: Azure Data Source: Entra ID Data Source: Entra ID Sign-in Use Case: Identity and Access Audit Use Case: Threat Detection Tactic: Initial Access Resources: Investigation Guide ·

Share on:

Detects rare non-interactive sign-ins where an Entra ID client application authenticates on behalf of a principal user using an application (client) ID that is not commonly associated with that user’s historical sign-in behavior. Adversaries with stolen credentials or OAuth tokens may abuse Entra ID–managed or first-party client IDs to perform on-behalf-of (OBO) authentication, blending into legitimate cloud traffic while avoiding traditional interactive sign-in flows. This technique is commonly observed in OAuth phishing, token theft, and access broker operations, and may precede lateral movement, persistence, or data access via Microsoft Graph or other cloud resources. The rule uses a New Terms approach to identify first-seen combinations of the UPN and Client ID within a defined history window, helping surface unexpected client usage that may indicate compromised identities, malicious automation, or unauthorized application impersonation.

Entra ID Concurrent Sign-in with Suspicious Properties

Dec 10, 2025 · Domain: Cloud Domain: SaaS Data Source: Azure Data Source: Entra ID Data Source: Entra ID Sign-in Use Case: Identity and Access Audit Use Case: Threat Detection Tactic: Credential Access Resources: Investigation Guide ·

Share on:

Identifies concurrent azure signin events for the same user and from multiple sources, and where one of the authentication event has some suspicious properties often associated to DeviceCode and OAuth phishing. Adversaries may steal Refresh Tokens (RTs) via phishing to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources.

Entra ID OAuth Device Code Flow with Concurrent Sign-ins

Dec 10, 2025 · Domain: Cloud Domain: Identity Data Source: Azure Data Source: Entra ID Data Source: Entra ID Sign-in Use Case: Identity and Access Audit Use Case: Threat Detection Tactic: Credential Access Resources: Investigation Guide ·

Share on:

Identifies concurrent Entra ID sign-in events for the same user and session from multiple sources, and where one of the authentication event has some suspicious properties often associated to DeviceCode and OAuth phishing. Adversaries may steal Refresh Tokens (RTs) via phishing to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources.

Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source

Aug 5, 2025 · Domain: Cloud Domain: SaaS Data Source: Azure Data Source: Entra ID Data Source: Entra ID Sign-in Use Case: Identity and Access Audit Use Case: Threat Detection Tactic: Credential Access Resources: Investigation Guide ·

Share on:

Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window from a single source. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams.