Entra ID Unusual Cloud Device Registration

Last updated a month ago on 2026-04-10

Created a year ago on 2025-06-13

About

Detects a sequence of events in Microsoft Entra ID indicative of suspicious cloud-based device registration via automated tooling like ROADtools or similar frameworks. This behavior involves adding a device via the Device Registration Service, followed by the assignment of registered users and owners — a pattern consistent with techniques used to establish persistence or acquire a Primary Refresh Token (PRT). ROADtools and similar tooling leave distinct telemetry signatures such as the `Microsoft.OData.Client` user agent. These sequences are uncommon in typical user behavior and may reflect abuse of device trust for session hijacking or silent token replay.

Tags

Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Audit LogsUse Case: Identity and Access AuditTactic: PersistenceLanguage: eql

Severity

medium

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

↳ Account Manipulation (T1098)(external, opens in a new tab or window)

Privilege Escalation (TA0004)(external, opens in a new tab or window)

↳ Account Manipulation (T1098)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-azure.auditlogs-*
Related Integrations: azure(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗sequence by azure.correlation_id with maxspan=5m
[any where data_stream.dataset == "azure.auditlogs" and
    azure.auditlogs.identity == "Device Registration Service" and
    azure.auditlogs.operation_name == "Add device" and
    (
        azure.auditlogs.properties.additional_details.value like "Microsoft.OData.Client/*" or
        azure.auditlogs.properties.additional_details.value like "Dsreg/*" or
        azure.auditlogs.properties.additional_details.value == "DeviceRegistrationClient"
    ) and
    `azure.auditlogs.properties.target_resources.0.modified_properties.1.display_name` == "CloudAccountEnabled" and
    `azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value` == "[true]"]
[any where data_stream.dataset == "azure.auditlogs" and
    azure.auditlogs.operation_name == "Add registered users to device" and
    `azure.auditlogs.properties.target_resources.0.modified_properties.2.new_value` like "*urn:ms-drs:enterpriseregistration.windows.net*"]
[any where data_stream.dataset == "azure.auditlogs" and
    azure.auditlogs.operation_name == "Add registered owner to device"]

Install detection rules in Elastic Security

Detect Entra ID Unusual Cloud Device Registration in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).