Entra ID Custom Domain Added or Verified

Last updated 12 days ago on 2026-03-03

Created 12 days ago on 2026-03-03

About

Detects when a custom domain is added or verified in an Entra ID tenant. Adding and verifying a custom domain are precursor steps to configuring domain federation, which can be abused by adversaries to route authentication through an attacker-controlled identity provider (Golden SAML). In most organizations, custom domains are added infrequently and these events should be investigated to ensure they are part of a legitimate administrative workflow.

Tags

Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Audit LogsUse Case: Identity and Access AuditTactic: DiscoveryTactic: Resource DevelopmentLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Resource Development (TA0042)(external, opens in a new tab or window)

↳ Compromise Infrastructure (T1584)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-azure.auditlogs-*
Related Integrations: azure(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.dataset: azure.auditlogs
    and azure.auditlogs.properties.category: DirectoryManagement
    and event.action: ("Add unverified domain" or "Verify domain")
    and event.outcome: success

Install detection rules in Elastic Security

Detect Entra ID Custom Domain Added or Verified in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).